#26899: Document why RawSQL requires parameters -------------------------------------+------------------------------------- Reporter: wolever | Owner: Type: | petedmarsh Cleanup/optimization | Status: closed Component: Documentation | Version: master Severity: Normal | Resolution: fixed Keywords: | Triage Stage: Ready for | checkin Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 1 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by wolever): That's absolutely fair! I just want to make sure that the (potentially many?) use cases which don't involve any parameters are being considered (ex, adding an `array_agg` to a `groupby`, selecting a column from an intermediary many- to-many table, a subselect that doesn't require parameters, and I'm sure you can imagine a bunch more). Anyway, if this has been considered and parameters are the final decision, the one last request I would make (and PR I could provide): provide a default value for the `params` argument which raises an explanatory exception (it took me 15 minutes to figure out why `RawSQL("some_column")` was raising a `__init__ takes 3 arguments but 2 were provided` error). {{{ def __init__(self, query, params=Undefined, …): if params is Undefined: raise TypeError( "params must always be provided to RawSQL to reduce the risk of SQL injection. " "Use `params=()` if your query does not require any parameters." ) }}} -- Ticket URL: <https://code.djangoproject.com/ticket/26899#comment:12> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.c896e2dbcd58b62a7d30abbaa4886268%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.