Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  Alexander
 |  Lyabah
 Type:  Bug  |   Status:  closed
Component:  Database layer   |  Version:  master
  (models, ORM)  |
 Severity:  Normal   |   Resolution:  fixed
 Keywords:  raw, psycopg2,   | Triage Stage:  Ready for
  execute, orm, db   |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"415f50298f97fb17f841a9df38d995ccf347dfcc" 415f5029]:
 {{{
 #!CommitTicketReference repository=""
 revision="415f50298f97fb17f841a9df38d995ccf347dfcc"
 Fixed #32231 -- Allowed passing None params to QuerySet.raw().
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.98de1aad5a2de1ef7dd8beadcaa45ede%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  Alexander
 |  Lyabah
 Type:  Bug  |   Status:  assigned
Component:  Database layer   |  Version:  master
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:  Ready for
  execute, orm, db   |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak ):

 In [changeset:"aa3d36063174cc1e16a1e5150b6b47609dd1e79a" aa3d3606]:
 {{{
 #!CommitTicketReference repository=""
 revision="aa3d36063174cc1e16a1e5150b6b47609dd1e79a"
 Refs #32231 -- Added tests for QuerySet.raw() with an escaped % symbol.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.ac0a78021627d18a7ac2daa07329498f%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  Alexander
 |  Lyabah
 Type:  Bug  |   Status:  assigned
Component:  Database layer   |  Version:  master
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:  Ready for
  execute, orm, db   |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * needs_better_patch:  1 => 0
 * stage:  Accepted => Ready for checkin
 * needs_docs:  1 => 0


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.a1c2ed70c5a3ad3a2bb22af4f3cdc86b%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  Alexander
 |  Lyabah
 Type:  Bug  |   Status:  assigned
Component:  Database layer   |  Version:  master
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:  Accepted
  execute, orm, db   |
Has patch:  1|  Needs documentation:  1
  Needs tests:  0|  Patch needs improvement:  1
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * needs_better_patch:  0 => 1
 * needs_docs:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.f24be897877c2eff78f4861f5ac7b5a4%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  Alexander
 |  Lyabah
 Type:  Bug  |   Status:  assigned
Component:  Database layer   |  Version:  master
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:  Accepted
  execute, orm, db   |
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Jacob Walls):

 * owner:  nobody => Alexander Lyabah
 * status:  new => assigned


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.a66cea70a7b94b1f89f559bc530323ac%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Database layer   |  Version:  master
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:  Accepted
  execute, orm, db   |
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Simon Charette):

 * version:  2.2 => master
 * stage:  Unreviewed => Accepted


Comment:

 To amend what I said above, `cursor` works fine, it's only `raw` that
 doesn't so the documentation divergence seems moot.

 Allowing `params=None` to be explicitly specified to opt-in this behaviour
 like the reporter suggested seems like an acceptable compromise.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.ad195afd1fce0862dd92f2856bf532fe%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Database layer   |  Version:  2.2
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:
  execute, orm, db   |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Alexander Lyabah):

 I update the patch for backward compatibility

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.d4fd35d86f90c7207ca561a12ebd0082%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Database layer   |  Version:  2.2
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:
  execute, orm, db   |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Alexander Lyabah):

 * Attachment "params_none.diff" added.


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.c789f872658c85a90d4d95147f4bc804%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Database layer   |  Version:  2.2
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:
  execute, orm, db   |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Simon Charette):

 From the ''Executing custom SQL'' directly section of the
 ''[https://docs.djangoproject.com/en/3.1/topics/db/sql/#executing-custom-
 sql-directly Performing raw SQL queries documentation]''

 > Note that if you want to include literal percent signs in the query, you
 have to double them **in the case you are passing parameters**:
 >
 > `cursor.execute("SELECT foo FROM bar WHERE baz = '30%'")`
 > `cursor.execute("SELECT foo FROM bar WHERE baz = '30%%' AND id = %s",
 [self.id])`

 So it seems that it was meant to work the way described above when not
 parameters are provided but it was never tested to do so and might have
 regressed at some point?

 We should determine for how long the implementation has diverged from the
 documentation to take an informed decision here as some users might have
 simply worked around this limitation by always doubling percentage signs
 even no parameters are provided over the years. If we were to simply
 switch back to the documented way of doing things we could silently break
 queries of the form

 {{{#!python
 cursor.execute("SELECT foo FROM bar WHERE baz = '30%%'")
 }}}

 I think we either need to go through a deprecation period where
 `params=()` keeps being passed `if '%%' in sql` or bite the bullet and
 adjust the documentation accordingly.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.ab6034ab1a2662b72b3c64c6395e29f3%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Database layer   |  Version:  2.2
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:
  execute, orm, db   |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Simon Charette):

 Not sure I understand the rationale here

 Doing something along

 {{{#!python
 query = "SELECT * FROM raw_query_author WHERE first_name like 'J%'"
 qset = Author.objects.raw(query)
 }}}

 Is prone to SQL injection assuming `'J%'` could be coming from user input,
 you definitely want to be doing the following instead

 {{{#!python
 query = "SELECT * FROM raw_query_author WHERE first_name like %s"
 qset = Author.objects.raw(query, ('J%',))
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.969943070ca0ebf29bb3494c5bc3c200%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Database layer   |  Version:  2.2
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:
  execute, orm, db   |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Alexander Lyabah):

 * Attachment "params_none.diff" added.


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.67a7a5e79f9de2c0141e1b4578142bbe%40djangoproject.com.

Re: [Django] #32231: It should be possible to pass None as params for Model.objects.raw

[Django]

#32231: It should be possible to pass None as params for Model.objects.raw
-+-
 Reporter:  Alexander Lyabah |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  Database layer   |  Version:  2.2
  (models, ORM)  |
 Severity:  Normal   |   Resolution:
 Keywords:  raw, psycopg2,   | Triage Stage:
  execute, orm, db   |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Alexander Lyabah):

 * Attachment "params_none.diff" added.


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.0644a3e211b41269c93b6833efa4d2e7%40djangoproject.com.