Opened 16 years ago

Closed 15 years ago

#7152 closed (wontfix)

Insufficient validation of db_column and db_table when declaring models

Reported by: Matthias Goerner <enischte@…> Owned by: nobody
Component: Validators Version: dev
Severity: Keywords:
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

db_column and db_table can contain special characters like %s which will pass model validation but cause exceptions later. See attached example

Attachments (2)

models.py (182 bytes ) - added by Matthias Goerner <enischte@…> 16 years ago.
model causing exception
error.txt (2.8 KB ) - added by Matthias Goerner <enischte@…> 16 years ago.
Exception caused

Download all attachments as: .zip

Change History (7)

by Matthias Goerner <enischte@…>, 16 years ago

Attachment: models.py added

model causing exception

by Matthias Goerner <enischte@…>, 16 years ago

Attachment: error.txt added

Exception caused

comment:1 by Matthias Goerner <enischte@…>, 16 years ago

Component: UncategorizedValidators

comment:2 by Simon Greenhill, 16 years ago

Resolution: wontfix
Status: newclosed

Well, yes, but does anyone really want to name their tables with characters like % or $?

comment:3 by Matthias Goerner <enischte@…>, 16 years ago

  1. The db_table string can either be probably escaped or quoted, or 2. the respective model fails validation.

I understand that special characters are unlikely to appear in table names, so 1. is probably not a desirable solution.
But regarding that a program should rather fail during compile time(model validation) than runtime, a simple line of code during model validation checking table_name for special characters might be good.

in reply to:  2 comment:4 by Marc Fargas, 16 years ago

Resolution: wontfix
Status: closedreopened
Triage Stage: UnreviewedDesign decision needed

Replying to Simon Greenhill:

Well, yes, but does anyone really want to name their tables with characters like % or $?

I think it doesn't really matter if anyone wants that functionallity, the issue is that if someone expects it that fill fail miserably. Or Models reject this, or whe escape db_table ;)

comment:5 by Malcolm Tredinnick, 15 years ago

Resolution: wontfix
Status: reopenedclosed

"Doctor it hurts when I do this"
"Don't do that, then"

We cannot predict what characters will and will not be permitted by every possible storage engine (and we support external databases, so we cannot survey all the possibilities). If the user is going to specify their own database table and column names, it's for a very specific reason and it's reasonable to expect that they understand what is acceptable to their database engine of choice.

Note: See TracTickets for help on using tickets.
Back to Top