Re: [I] Unknown column used in orderby for SQL expression columns (server-side pagination) [superset]

Wed, 28 Jan 2026 04:37:46 -0800 


dosubot[bot] commented on issue #37520:
URL: https://github.com/apache/superset/issues/37520#issuecomment-3811074985

   <!-- Answer -->
   This error happens because Superset now enforces strict backend validation 
for sorting: the ORDER BY clause must reference known columns or metrics, not 
freeform SQL or adhoc column labels. This change prevents SQL injection and 
data exfiltration, and only allows sorting by columns visible in the chart 
(columns, groupby, or metrics) 
[source](https://github.com/apache/superset/pull/37371).
   
   Recent fixes in PR #35342 and #35482 (merged after October 2025) update how 
adhoc SQL expression columns are handled in ORDER BY clauses, so upgrading to 
the latest master/dev branch should resolve this issue 
[source](https://github.com/apache/superset/pull/35342) 
[source](https://github.com/apache/superset/pull/35482).
   
   If you can't upgrade, there are no official workarounds to restore the old 
freeform SQL sorting. For complex sorting, create a calculated column or metric 
in your dataset and sort by that. For multi-field sorting, you can pre-sort 
data in your database, create a calculated column encoding your desired order, 
or modify the frontend to send all selected sort fields to the backend, but 
there’s no built-in UI support for this 
[source](https://github.com/apache/superset/issues/35279#issuecomment-3332760718).
   
   Let me know if you need more technical details or code references!
   
   
   <!-- Dosu Comment Footer -->
   *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
   
   ---
   <sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/f607081c-7651-4bef-a97d-5268e97d5322?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/f607081c-7651-4bef-a97d-5268e97d5322?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/f607081c-7651-4bef-a97d-5268e97d5322?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/f607081c-7651-4bef-a97d-5268e97d5322?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/f607081c-7651-4bef-a97d-5268e97d5322?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/f607081c-7651-4bef-a97d-5268e97d5322?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/f607081c-7651-4bef-a97d-5268e97d5322?feedback_type=other)</sup>
   
   [![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20error%20happens%20because%20Superset%20now%20enforces%20strict%20backend%20validation%20for%20sorting%3A%20the%20ORDER%20BY%20clause%20must%20reference%20known%20columns%20or%20metrics%2C%20not%20freeform%20SQL%20or%20adhoc%20column%20labels.%20This%20change%20prevents%20SQL%20injection%20and%20data%20exfiltration%2C%20and%20only%20allows%20sorting%20by%20columns%20visible%20in%20the%20chart%20%28columns%2C%20groupby%2C%20or%20metrics%29%20%5Bsource%5D%28https%3A//github.com/apache/superset/pull/37371%29.%0A%0ARecent%20fixes%20in%20PR%20%2335342%20and%20%2335482%20%28merged%20after%20October%202025%29%20update%20how%20adhoc%20SQL%20expression%20columns%20are%20handled%20in%20ORDER%20BY%20clauses%2C%20so%20upgrading%20to%20the%20latest%20mast
 
er/dev%20branch%20should%20resolve%20this%20issue%20%5Bsource%5D%28https%3A//github.com/apache/superset/pull/35342%29%20%5Bsource%5D%28https%3A//github.com/apache/superset/pull/35482%29.%0A%0AIf%20you%20can%27t%20upgrade%2C%20there%20are%20no%20official%20workarounds%20to%20restore%20the%20old%20freeform%20SQL%20sorting.%20For%20complex%20sorting%2C%20create%20a%20calculated%20column%20or%20metric%20in%20your%20dataset%20and%20sort%20by%20that.%20For%20multi-field%20sorting%2C%20you%20can%20pre-sort%20data%20in%20your%20database%2C%20create%20a%20calculated%20column%20encoding%20your%20desired%20order%2C%20or%20modify%20the%20frontend%20to%20send%20all%20selected%20sort%20fields%20to%20the%20backend%2C%20but%20there%E2%80%99s%20no%20built-in%20UI%20support%20for%20this%20%5Bsource%5D%28https%3A//github.com/apache/superset/issues/35279%23issuecomment-3332760718%29.%0A%0ALet%20me%20know%20if%20you%20need%20more%20technical%20details%20or%20code%20references%21)&nbsp;[![Join
 Discord](h
 
ttps://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/37520)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to