Insufficient validation of db_column and db_table when declaring models

[Matthias Goerner <enischte@…>]

db_column and db_table can contain special characters like %s which will pass model validation but cause exceptions later. See attached example

[Matthias Goerner <enischte@…>]

model causing exception

[Matthias Goerner <enischte@…>]

Exception caused

[Simon Greenhill]

Well, yes, but does anyone really want to name their tables with characters like % or $?

[Matthias Goerner <enischte@…>]

1. The db_table string can either be probably escaped or quoted, or 2. the respective model fails validation.

I understand that special characters are unlikely to appear in table names, so 1. is probably not a desirable solution.
But regarding that a program should rather fail during compile time(model validation) than runtime, a simple line of code during model validation checking table_name for special characters might be good.

[Marc Fargas]

Replying to Simon Greenhill:

Well, yes, but does anyone really want to name their tables with characters like % or $?

I think it doesn't really matter if anyone wants that functionallity, the issue is that if someone expects it that fill fail miserably. Or Models reject this, or whe escape db_table ;)

[Malcolm Tredinnick]

"Doctor it hurts when I do this"
"Don't do that, then"

We cannot predict what characters will and will not be permitted by every possible storage engine (and we support external databases, so we cannot survey all the possibilities). If the user is going to specify their own database table and column names, it's for a very specific reason and it's reasonable to expect that they understand what is acceptable to their database engine of choice.