Opened 7 years ago

Closed 6 years ago

#7152 closed (wontfix)

Insufficient validation of db_column and db_table when declaring models

Reported by: Matthias Goerner <enischte@…> Owned by: nobody
Component: Validators Version: master
Severity: Keywords:
Cc: Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

db_column and db_table can contain special characters like %s which will pass model validation but cause exceptions later. See attached example

Attachments (2)

models.py (182 bytes) - added by Matthias Goerner <enischte@…> 7 years ago.
model causing exception
error.txt (2.8 KB) - added by Matthias Goerner <enischte@…> 7 years ago.
Exception caused

Download all attachments as: .zip

Change History (7)

Changed 7 years ago by Matthias Goerner <enischte@…>

model causing exception

Changed 7 years ago by Matthias Goerner <enischte@…>

Exception caused

comment:1 Changed 7 years ago by Matthias Goerner <enischte@…>

  • Component changed from Uncategorized to Validators
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 follow-up: Changed 7 years ago by Simon Greenhill

  • Resolution set to wontfix
  • Status changed from new to closed

Well, yes, but does anyone really want to name their tables with characters like % or $?

comment:3 Changed 7 years ago by Matthias Goerner <enischte@…>

  1. The db_table string can either be probably escaped or quoted, or 2. the respective model fails validation.

I understand that special characters are unlikely to appear in table names, so 1. is probably not a desirable solution.
But regarding that a program should rather fail during compile time(model validation) than runtime, a simple line of code during model validation checking table_name for special characters might be good.

comment:4 in reply to: ↑ 2 Changed 7 years ago by telenieko

  • Resolution wontfix deleted
  • Status changed from closed to reopened
  • Triage Stage changed from Unreviewed to Design decision needed

Replying to Simon Greenhill:

Well, yes, but does anyone really want to name their tables with characters like % or $?

I think it doesn't really matter if anyone wants that functionallity, the issue is that if someone expects it that fill fail miserably. Or Models reject this, or whe escape db_table ;)

comment:5 Changed 6 years ago by mtredinnick

  • Resolution set to wontfix
  • Status changed from reopened to closed

"Doctor it hurts when I do this"
"Don't do that, then"

We cannot predict what characters will and will not be permitted by every possible storage engine (and we support external databases, so we cannot survey all the possibilities). If the user is going to specify their own database table and column names, it's for a very specific reason and it's reasonable to expect that they understand what is acceptable to their database engine of choice.

Note: See TracTickets for help on using tickets.
Back to Top