Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #14733: no longer "validate" .raw() queries.

Turns out that a lot more than just SELECT can return data, and this list is
very hard to define up front in a cross-database manner. So let's just assume
that anyone using raw() is at least halfway competant and can deal with
the error messages if they don't use a data-returning query.

Thanks to Christophe Pettus for the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15803 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit fd2f18008caeca28c60c43cce7b43fb87c6fee78 1 parent f1f10a9
Jacob Kaplan-Moss authored
6  django/db/models/sql/query.py
@@ -31,7 +31,6 @@ class RawQuery(object):
31 31
     """
32 32
 
33 33
     def __init__(self, sql, using, params=None):
34  
-        self.validate_sql(sql)
35 34
         self.params = params or ()
36 35
         self.sql = sql
37 36
         self.using = using
@@ -62,11 +61,6 @@ def get_columns(self):
62 61
         return [converter(column_meta[0])
63 62
                 for column_meta in self.cursor.description]
64 63
 
65  
-    def validate_sql(self, sql):
66  
-        if not sql.lower().strip().startswith('select'):
67  
-            raise InvalidQuery('Raw queries are limited to SELECT queries. Use '
68  
-                               'connection.cursor directly for other types of queries.')
69  
-
70 64
     def __iter__(self):
71 65
         # Always execute a new query for a new iterator.
72 66
         # This could be optimized with a cache at the expense of RAM.
13  docs/topics/db/sql.txt
@@ -42,6 +42,10 @@ You could then execute custom SQL like so::
42 42
     John Smith
43 43
     Jane Jones
44 44
 
  45
+Of course, this example isn't very exciting -- it's exactly the same as
  46
+running ``Person.objects.all()``. However, ``raw()`` has a bunch of other
  47
+options that make it very powerful.
  48
+
45 49
 .. admonition:: Model table names
46 50
 
47 51
     Where'd the name of the ``Person`` table come from in that example?
@@ -56,9 +60,12 @@ You could then execute custom SQL like so::
56 60
     :attr:`~Options.db_table` option, which also lets you manually set the
57 61
     database table name.
58 62
 
59  
-Of course, this example isn't very exciting -- it's exactly the same as
60  
-running ``Person.objects.all()``. However, ``raw()`` has a bunch of other
61  
-options that make it very powerful.
  63
+.. warning::
  64
+
  65
+    No checking is done on the SQL statement that is passed in to ``.raw()``.
  66
+    Django expects that the statement will return a set of rows from the
  67
+    database, but does nothing to enforce that. If the query does not
  68
+    return rows, a (possibly cryptic) error will result.
62 69
 
63 70
 Mapping query fields to model fields
64 71
 ------------------------------------
4  tests/modeltests/raw_query/tests.py
@@ -169,10 +169,6 @@ def testAnnotations(self):
169 169
         authors = Author.objects.all()
170 170
         self.assertSuccessfulRawQuery(Author, query, authors, expected_annotations)
171 171
 
172  
-    def testInvalidQuery(self):
173  
-        query = "UPDATE raw_query_author SET first_name='thing' WHERE first_name='Joe'"
174  
-        self.assertRaises(InvalidQuery, Author.objects.raw, query)
175  
-
176 172
     def testWhiteSpaceQuery(self):
177 173
         query = "    SELECT * FROM raw_query_author"
178 174
         authors = Author.objects.all()

0 notes on commit fd2f180

Please sign in to comment.
Something went wrong with that request. Please try again.