Re: [Django] #26899: Document why RawSQL requires parameters

Fri, 22 Jul 2016 08:54:23 -0700 

#26899: Document why RawSQL requires parameters
-------------------------------------+-------------------------------------
     Reporter:  wolever              |                    Owner:
         Type:                       |  petedmarsh
  Cleanup/optimization               |                   Status:  closed
    Component:  Documentation        |                  Version:  master
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Ready for
                                     |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  1                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by wolever):

 That's absolutely fair!

 I just want to make sure that the (potentially many?) use cases which
 don't involve any parameters are being considered (ex, adding an
 `array_agg` to a `groupby`, selecting a column from an intermediary many-
 to-many table, a subselect that doesn't require parameters, and I'm sure
 you can imagine a bunch more).

 Anyway, if this has been considered and parameters are the final decision,
 the one last request I would make (and PR I could provide): provide a
 default value for the `params` argument which raises an explanatory
 exception (it took me 15 minutes to figure out why `RawSQL("some_column")`
 was raising a `__init__ takes 3 arguments but 2 were provided` error).

 {{{
 def __init__(self, query, params=Undefined, …):
     if params is Undefined:
         raise TypeError(
             "params must always be provided to RawSQL to reduce the risk
 of SQL injection. "
             "Use `params=()` if your query does not require any
 parameters."
         )
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/26899#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.c896e2dbcd58b62a7d30abbaa4886268%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to