#25705: Parameters are not adapted or quoted in Query.__str__
-------------------------------------+-------------------------------------
Reporter: Dmitry Dygalo | Owner: Alex
Type: | Status: assigned
Cleanup/optimization |
Component: Database layer | Version: dev
(models, ORM) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Simon Charette):
* cc: Mariusz Felisiak (added)
Comment:
> So if raw(str(qs.query)) is a risk, then quoting the parameters would
fix it.
I was not arguing that it is not possible to cause SQL injection today by
using `raw(str(qs.query))` but that the moment we do ''fix it'' by quoting
parameters and we must ensure to safely support this anti-pattern.
> And as I said just after that, that alternative was rejected in the
past, would be too much effort and I was only mentioning it as the only
way to fix it in every backend. I should have been clearer that I wasn't
pushing for this option.
Sorry I missed that, I thought you were pushing for this option.
> That idea was rejected 14 months ago, but it could be reconsidered in
light of this discussion.
I wasn't aware that documenting `sql_with_params` was rejected in #34636.
I do think we should reconsider.
> I would be happy with this option. An alternative would be an error if
the queryset hasn't been evaluated instead of None. But I'm not that big
of a fan of the error idea.
I don't have a strong opinion on the subject, either works for me!
> My proposal is to close this as a wontfix and work on the
QuerySet.executed_query idea and maybe reconsider documenting
sql_with_params. I'm happy to do both as long as I don't get yelled for
reopenniing the wonfix sql_with_params ticket #34636.
I'm happy to support you towards re-opening #34636 but we should likely
follow the normal process of gathering a bit more consensus. It'd be great
to hear from Mariusz and others what their thoughts are on the matter.
--
Ticket URL: <https://code.djangoproject.com/ticket/25705#comment:18>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070190b9525ed9-03416c47-258c-4a7a-ac09-312cfdaf86d4-000000%40eu-central-1.amazonses.com.
