Changes between Initial Version and Version 1 of Ticket #35093


Ignore:
Timestamp:
Jan 7, 2024, 1:34:11 PM (12 months ago)
Author:
Tim Graham
Comment:

Did you look into why the restriction was added? (to prevent SQL injection: 93cae5cb2f9a4ef1514cf1a41f714fef08005200)

Something like .annotate(**{"VALUE_WITH_APOSTROPHE'-2": Count('attribute_name')}, allow_sql_injecdtion=True) is probably not going to fly. Feel free to make a proposal on the DevelopersMailingList if you want to start a discussion.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #35093

    • Property Resolutionwontfix
    • Property Status newclosed
    • Property Summary Handling Special Characters in ORM Annotate AliasesAllow SQL injection characters in QuerySet.annotate() aliases

  • Ticket #35093 – Description

    initial v1  
    11Encountered a limitation in Django ORM when using annotations with column aliases containing special characters like apostrophes or spaces. For example:
    22
    3 Model.objects.annotate(**{"VALUE_WITH_APOSTROPHE'-2": Count('attribute_name')})
     3`Model.objects.annotate(**{"VALUE_WITH_APOSTROPHE'-2": Count('attribute_name')})`
    44
    5 This generates a ValueError: Column aliases cannot contain whitespace characters. While SQL syntax allows such aliases, Django ORM does not, leading to a lack of flexibility and unexpected errors in ORM interactions.
     5This generates a `ValueError: Column aliases cannot contain whitespace characters, quotation marks, semicolons, or SQL comments.` While SQL syntax allows such aliases, Django ORM does not, leading to a lack of flexibility and unexpected errors in ORM interactions.
    66
    77Impact:
     
    1616
    1717Interested in community and maintainers' perspectives on potential solutions to provide ORM-level flexibility for end-user applications. Looking forward to contributing to the discussion and development of this feature.
    18 
Back to Top