Opened 7 years ago

Closed 7 years ago

#30145 closed Bug (invalid)

SQLCompiler do not escape names correctly

Reported by: Artem Skoretskiy Owned by: nobody
Component: Database layer (models, ORM) Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I generate custom SQL and I have tried to use SQLCompiler to escape (quote) table names. But it does not work as expected:

>>> from django.contrib.auth.models import User
>>> qs = User.objects.all()
>>> compiler = qs.query.get_compiler(using=qs.db)
>>> name = 'b"; drop table "world'
>>> sql = 'alter table x rename column a to {};'.format(compiler.quote_name_unless_alias(name))
>>> print(sql)
alter table x rename column a to "b"; drop table "world";

I would expect that it would return name that I could use in raw SQL.

You could try youself:

docker run -ti --rm python:3.7-alpine sh -c "pip install -q https://github.com/django/django/archive/master.zip && django-admin.py startproject project . && ./manage.py shell"

Change History (1)

comment:1 by Tim Graham, 7 years ago

Resolution: invalid
Status: newclosed

SQLCompiler isn't a public API. Any usage is at your own risk.

Note: See TracTickets for help on using tickets.
Back to Top