p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #25212 -- Documented the RawSQL expression.

This commit is contained in:
Tim Graham 2015-08-03 16:27:49 -04:00
parent 28cb272a72
commit 97fa7fe961
3 changed files with 36 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/ref/databases.txt
View File

@ -571,11 +571,13 @@ query for ``WHERE mycolumn=0``, both rows will match. Similarly, ``WHERE mycolum
will match the value ``'abc1'``. Therefore, string type fields included in Django will match the value ``'abc1'``. Therefore, string type fields included in Django
will always cast the value to a string before using it in a query. will always cast the value to a string before using it in a query.
If you implement custom model fields that inherit from :class:`~django.db.models.Field` If you implement custom model fields that inherit from
directly, are overriding :meth:`~django.db.models.Field.get_prep_value`, or use :class:`~django.db.models.Field` directly, are overriding
:meth:`extra() <django.db.models.query.QuerySet.extra>` or :meth:`~django.db.models.Field.get_prep_value`, or use
:meth:`raw() <django.db.models.Manager.raw>`, you should ensure that you :class:`~django.db.models.expressions.RawSQL`,
perform the appropriate typecasting. :meth:`~django.db.models.query.QuerySet.extra`, or
:meth:`~django.db.models.Manager.raw`, you should ensure that you perform
appropriate typecasting.
.. _sqlite-notes: .. _sqlite-notes:

27
docs/ref/models/expressions.txt
View File

@ -391,6 +391,33 @@ Conditional expressions allow you to use :keyword:`if` ... :keyword:`elif` ...
:keyword:`else` logic in queries. Django natively supports SQL ``CASE`` :keyword:`else` logic in queries. Django natively supports SQL ``CASE``
expressions. For more details see :doc:`conditional-expressions`. expressions. For more details see :doc:`conditional-expressions`.
Raw SQL expressions
-------------------
.. versionadded:: 1.8
.. currentmodule:: django.db.models.expressions
.. class:: RawSQL(sql, params, output_field=None)
Sometimes database expressions can't easily express a complex ``WHERE`` clause.
In these edge cases, use the ``RawSQL`` expression. For example::
>>> from django.db.models.expressions import RawSQL
>>> queryset.annotate(val=RawSQL("select col from sometable where othercol = %s", (someparam,)))
These extra lookups may not be portable to different database engines (because
you're explicitly writing SQL code) and violate the DRY principle, so you
should avoid them if possible.
.. warning::
You should be very careful to escape any parameters that the user can
control by using ``params`` in order to protect against :ref:`SQL injection
attacks <sql-injection-protection>`.
.. currentmodule:: django.db.models
Technical Information Technical Information
===================== =====================

3
docs/topics/security.txt
View File

@ -94,7 +94,8 @@ write :ref:`raw queries <executing-raw-queries>` or execute
:ref:`custom sql <executing-custom-sql>`. These capabilities should be used :ref:`custom sql <executing-custom-sql>`. These capabilities should be used
sparingly and you should always be careful to properly escape any parameters sparingly and you should always be careful to properly escape any parameters
that the user can control. In addition, you should exercise caution when using that the user can control. In addition, you should exercise caution when using
:meth:`extra() <django.db.models.query.QuerySet.extra>`. :meth:`~django.db.models.query.QuerySet.extra` and
:class:`~django.db.models.expressions.RawSQL`.
Clickjacking protection Clickjacking protection
======================= =======================