From fd2f18008caeca28c60c43cce7b43fb87c6fee78 Mon Sep 17 00:00:00 2001 From: Jacob Kaplan-Moss Date: Mon, 14 Mar 2011 19:49:53 +0000 Subject: [PATCH] Fixed #14733: no longer "validate" .raw() queries. Turns out that a lot more than just SELECT can return data, and this list is very hard to define up front in a cross-database manner. So let's just assume that anyone using raw() is at least halfway competant and can deal with the error messages if they don't use a data-returning query. Thanks to Christophe Pettus for the patch. git-svn-id: http://code.djangoproject.com/svn/django/trunk@15803 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/db/models/sql/query.py | 6 ------ docs/topics/db/sql.txt | 13 ++++++++++--- tests/modeltests/raw_query/tests.py | 4 ---- 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py index 8fa3419059..ea89771ed1 100644 --- a/django/db/models/sql/query.py +++ b/django/db/models/sql/query.py @@ -31,7 +31,6 @@ class RawQuery(object): """ def __init__(self, sql, using, params=None): - self.validate_sql(sql) self.params = params or () self.sql = sql self.using = using @@ -62,11 +61,6 @@ class RawQuery(object): return [converter(column_meta[0]) for column_meta in self.cursor.description] - def validate_sql(self, sql): - if not sql.lower().strip().startswith('select'): - raise InvalidQuery('Raw queries are limited to SELECT queries. Use ' - 'connection.cursor directly for other types of queries.') - def __iter__(self): # Always execute a new query for a new iterator. # This could be optimized with a cache at the expense of RAM. diff --git a/docs/topics/db/sql.txt b/docs/topics/db/sql.txt index 6be59c5d5a..e5f6c21a53 100644 --- a/docs/topics/db/sql.txt +++ b/docs/topics/db/sql.txt @@ -42,6 +42,10 @@ You could then execute custom SQL like so:: John Smith Jane Jones +Of course, this example isn't very exciting -- it's exactly the same as +running ``Person.objects.all()``. However, ``raw()`` has a bunch of other +options that make it very powerful. + .. admonition:: Model table names Where'd the name of the ``Person`` table come from in that example? @@ -56,9 +60,12 @@ You could then execute custom SQL like so:: :attr:`~Options.db_table` option, which also lets you manually set the database table name. -Of course, this example isn't very exciting -- it's exactly the same as -running ``Person.objects.all()``. However, ``raw()`` has a bunch of other -options that make it very powerful. +.. warning:: + + No checking is done on the SQL statement that is passed in to ``.raw()``. + Django expects that the statement will return a set of rows from the + database, but does nothing to enforce that. If the query does not + return rows, a (possibly cryptic) error will result. Mapping query fields to model fields ------------------------------------ diff --git a/tests/modeltests/raw_query/tests.py b/tests/modeltests/raw_query/tests.py index 5334412680..aa6aec10b1 100644 --- a/tests/modeltests/raw_query/tests.py +++ b/tests/modeltests/raw_query/tests.py @@ -169,10 +169,6 @@ class RawQueryTests(TestCase): authors = Author.objects.all() self.assertSuccessfulRawQuery(Author, query, authors, expected_annotations) - def testInvalidQuery(self): - query = "UPDATE raw_query_author SET first_name='thing' WHERE first_name='Joe'" - self.assertRaises(InvalidQuery, Author.objects.raw, query) - def testWhiteSpaceQuery(self): query = " SELECT * FROM raw_query_author" authors = Author.objects.all()