id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35093	Allow SQL injection characters in QuerySet.annotate() aliases	Eyal Segal	nobody	"Encountered a limitation in Django ORM when using annotations with column aliases containing special characters like apostrophes or spaces. For example:

`Model.objects.annotate(**{""VALUE_WITH_APOSTROPHE'-2"": Count('attribute_name')})`

This generates a `ValueError: Column aliases cannot contain whitespace characters, quotation marks, semicolons, or SQL comments.` While SQL syntax allows such aliases, Django ORM does not, leading to a lack of flexibility and unexpected errors in ORM interactions.

Impact:
- Causes flow errors during higher-level ORM interactions.
- Limits application of ORM to real-world naming use cases.
- Decreases reliability and user experience when special characters are present.

Proposed Solution:
Enhance the ORM's handling of annotate aliases to allow common special characters, aligning with real-world naming scenarios. Options could include:
- Automatically transforming aliases before passing to SQL.
- Configurable rules for ""safe"" special characters at the ORM level.

Interested in community and maintainers' perspectives on potential solutions to provide ORM-level flexibility for end-user applications. Looking forward to contributing to the discussion and development of this feature."	New feature	closed	Database layer (models, ORM)	3.2	Normal	wontfix	ORM, annotations		Unreviewed	0	0	0	0	0	0