Opened 3 years ago

Closed 3 years ago

#21844 closed Cleanup/optimization (fixed)

BaseDatabaseOperations.quote_parameter should be relocated to DatabaseSchemaEditor

Reported by: Michael Manfre Owned by: nobody
Component: Migrations Version: master
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Schema migrations added BaseDatabaseOperations.quote_parameter to help generate an SQL string. Per the docstring "This should NOT be used to prepare SQL statements to send to the database". It should be relocated to BaseDatabaseSchemaEditor because that is the only place it should be used.

Setting ticket as release blocker because leaving it on BaseDatabaseOperations can lead to future code misusing this and the implementation (specifically Oracle's) is an SQL injection waiting to happen.

Change History (2)

comment:1 Changed 3 years ago by Aymeric Augustin

Component: Database layer (models, ORM)Migrations
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedAccepted

comment:2 Changed 3 years ago by Andrew Godwin <andrew@…>

Resolution: fixed
Status: newclosed

In 42607a9e33e63639d1da2166b9a2f85c691e07ae:

Fixed #21844: Move quote_parameter off of Operations and rename

Note: See TracTickets for help on using tickets.
Back to Top