id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 4855,"regression: qs.extra(where=""foo IN %s"",params=tuple) fails with SQL syntax error in SVN 5677",Jörg Höhle,durdinator,"Hi, I have just upgraded from ~svn-2007-06-26 to 5677 (on 2007-07-12) and my SELECT IN code now fails: {{{ Bug.objects.extra(where=['parent in %s'],params=[tuple([1,2,3])]) }}} It now obviously adds 'single quotes ' around '(1,2,3)', where there were none previously (correct syntax). So I consider this a regression. Of course, I could rewrite my code to say where=[""parent IN %s"" % tuple()], but that does not feel right. Esp, what if somebody does SQL-injection into my tuple? It seems like tuple type should be recognized (special-cased), and quotes maybe added within each element, according to the result type. But how could Django possibly guess the required type?? {{{ File ""/usr/lib/python2.4/site-packages/django/db/models/query.py"", line 480, in _get_data self._result_cache = list(self.iterator()) File ""/usr/lib/python2.4/site-packages/django/db/models/query.py"", line 188, in iterator cursor.execute(""SELECT "" + (self._distinct and ""DISTINCT "" or """") + "","".join(select) + sql, params) File ""/usr/lib/python2.4/site-packages/django/db/backends/util.py"", line 19, in execute return self.cursor.execute(sql, params) File ""/usr/lib/python2.4/site-packages/django/db/backends/postgresql/base.py"", line 53, in execute return self.cursor.execute(smart_str(sql, self.charset), self.format_params(params)) ProgrammingError: FEHLER: Fehler »Syntaxfehler« bei »'(1, 2, 3)'« at character 101 SELECT ""polls_bug"".""id"",""polls_bug"".""parent_id"",""polls_bug"".""name"" FROM ""polls_bug"" WHERE parent in '(1, 2, 3)' }}} I'm using postgresql, as seen in the backtrace. {{{ #!python class Bug(models.Model): parent = models.ForeignKey('self',null=True,blank=True) name = models.CharField(maxlength=30) def __str__(self): return self.name class Admin: pass }}} Regards, Jörg Höhle",,closed,"Database layer (models, ORM)",dev,,invalid,,,Accepted,0,0,0,0,0,0