Re: [Django] #24605: Database identifiers are not properly escaped in some queries

[Django]

#24605: Database identifiers are not properly escaped in some queries
-------------------------------------+-------------------------------------
     Reporter:  kurevin              |                    Owner:
                                     |  priidukull
         Type:  Bug                  |                   Status:  assigned
    Component:  Database layer       |                  Version:  1.7
  (models, ORM)                      |
     Severity:  Release blocker      |               Resolution:
     Keywords:  regression,          |             Triage Stage:  Accepted
  database                           |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by charettes):

 From further investigation with Priidu it looks like `Query.split_exclude`
 doesn't generate the correct query when specific aliases can be reused.

 We reduced the test case to the following models:

 {{{#!python
 from django.db import models


 class Individual(models.Model):
     alive = models.BooleanField()

     class Meta:
         db_table = 'Individual'


 class Child(models.Model):
     parent = models.ForeignKey(Individual, related_name='children')

     class Meta:
         db_table = 'Children'
 }}}

 where differently ordered queryset filters generate the following SQL.

 {{{#!sql
 # Individual.objects.exclude(Q(children__isnull=True), Q(alive=False))

 SELECT "Individual"."id",
        "Individual"."alive"
 FROM "Individual"
 WHERE NOT ("Individual"."id" IN
              (SELECT U0."id" AS Col1
               FROM "Individual" U0
               LEFT OUTER JOIN "Children" U1 ON (U0."id" = U1."parent_id")
               WHERE U1."id" IS NULL)
            AND "Individual"."alive" = FALSE)
 }}}

 {{{#!sql
 # Individual.objects.exclude(Q(alive=False), Q(children__isnull=True))

 SELECT "Individual"."id",
        "Individual"."alive"
 FROM "Individual"
 WHERE NOT ("Individual"."alive" = FALSE
            AND "Individual"."id" IN
              (SELECT U0."id" AS Col1
               FROM Individual U0
               LEFT OUTER JOIN "Children" U1 ON (U0."id" = U1."parent_id")
               WHERE (U1."id" IS NULL
                      AND U0."id" = (Individual."id"))))
 }}}

 Notice how the second query's `NOT IN` subquery checks against `U0."id" =
 (Individual."id")` when it doesn't have too.

--
Ticket URL: <https://code.djangoproject.com/ticket/24605#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.486c2c4d4be0d16be18036530719ca96%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.