Examples of fetching raw SQL don't work for non-unique column names.
The documentation on executing custom SQL directly includes a code sample for dictfetchall
. When the cursor executes a SELECT
statement for two identically named table columns (e.g., "foo"."id"
and "bar"."id"
) then the resulting dict
ends up with just one id
key.
In other words, the consumer may deal with a ID for bar
when they expected an ID for foo
, causing unanticipated behavior and threatening information security. This behavior can be very difficult to pin down, especially since Django is considered reputable.
The same problem can be observed in the code sample for namedtuplefetchall
but will instead result in a runtime error.
Change History
(7)
Summary: |
Docs(SQL): Logical error in code sample → Examples of fetching raw SQL don't work for non-unique column names.
|
Triage Stage: |
Unreviewed → Accepted
|
Type: |
Bug → Cleanup/optimization
|
Owner: |
changed from nobody to Jesper Olsson
|
Status: |
new → assigned
|
Has patch: |
set
|
Patch needs improvement: |
set
|
Patch needs improvement: |
unset
|
Triage Stage: |
Accepted → Ready for checkin
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
All examples in this documentation are for a single table, so column names are unique. Also, there is nothing in the
cursor.description
to help distinguish columns with the same name. Nevertheless, I agree that we could add a warning in the docs that returned column names should be unique. Would you like to prepare a patch?