mirror of https://github.com/django/django.git
375 lines
14 KiB
Plaintext
375 lines
14 KiB
Plaintext
==========================
|
|
Performing raw SQL queries
|
|
==========================
|
|
|
|
.. currentmodule:: django.db.models
|
|
|
|
When the :doc:`model query APIs </topics/db/queries>` don't go far enough, you
|
|
can fall back to writing raw SQL. Django gives you two ways of performing raw
|
|
SQL queries: you can use :meth:`Manager.raw()` to `perform raw queries and
|
|
return model instances`__, or you can avoid the model layer entirely and
|
|
`execute custom SQL directly`__.
|
|
|
|
__ `performing raw queries`_
|
|
__ `executing custom SQL directly`_
|
|
|
|
.. warning::
|
|
|
|
You should be very careful whenever you write raw SQL. Every time you use
|
|
it, you should properly escape any parameters that the user can control
|
|
by using ``params`` in order to protect against SQL injection attacks.
|
|
Please read more about :ref:`SQL injection protection
|
|
<sql-injection-protection>`.
|
|
|
|
.. _executing-raw-queries:
|
|
|
|
Performing raw queries
|
|
======================
|
|
|
|
The ``raw()`` manager method can be used to perform raw SQL queries that
|
|
return model instances:
|
|
|
|
.. method:: Manager.raw(raw_query, params=None, translations=None)
|
|
|
|
This method takes a raw SQL query, executes it, and returns a
|
|
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
|
|
can be iterated over just like a normal
|
|
:class:`~django.db.models.query.QuerySet` to provide object instances.
|
|
|
|
This is best illustrated with an example. Suppose you have the following model::
|
|
|
|
class Person(models.Model):
|
|
first_name = models.CharField(...)
|
|
last_name = models.CharField(...)
|
|
birth_date = models.DateField(...)
|
|
|
|
You could then execute custom SQL like so::
|
|
|
|
>>> for p in Person.objects.raw('SELECT * FROM myapp_person'):
|
|
... print(p)
|
|
John Smith
|
|
Jane Jones
|
|
|
|
Of course, this example isn't very exciting -- it's exactly the same as
|
|
running ``Person.objects.all()``. However, ``raw()`` has a bunch of other
|
|
options that make it very powerful.
|
|
|
|
.. admonition:: Model table names
|
|
|
|
Where did the name of the ``Person`` table come from in that example?
|
|
|
|
By default, Django figures out a database table name by joining the
|
|
model's "app label" -- the name you used in ``manage.py startapp`` -- to
|
|
the model's class name, with an underscore between them. In the example
|
|
we've assumed that the ``Person`` model lives in an app named ``myapp``,
|
|
so its table would be ``myapp_person``.
|
|
|
|
For more details check out the documentation for the
|
|
:attr:`~Options.db_table` option, which also lets you manually set the
|
|
database table name.
|
|
|
|
.. warning::
|
|
|
|
No checking is done on the SQL statement that is passed in to ``.raw()``.
|
|
Django expects that the statement will return a set of rows from the
|
|
database, but does nothing to enforce that. If the query does not
|
|
return rows, a (possibly cryptic) error will result.
|
|
|
|
.. warning::
|
|
|
|
If you are performing queries on MySQL, note that MySQL's silent type coercion
|
|
may cause unexpected results when mixing types. If you query on a string
|
|
type column, but with an integer value, MySQL will coerce the types of all values
|
|
in the table to an integer before performing the comparison. For example, if your
|
|
table contains the values ``'abc'``, ``'def'`` and you query for ``WHERE mycolumn=0``,
|
|
both rows will match. To prevent this, perform the correct typecasting
|
|
before using the value in a query.
|
|
|
|
Mapping query fields to model fields
|
|
------------------------------------
|
|
|
|
``raw()`` automatically maps fields in the query to fields on the model.
|
|
|
|
The order of fields in your query doesn't matter. In other words, both
|
|
of the following queries work identically::
|
|
|
|
>>> Person.objects.raw('SELECT id, first_name, last_name, birth_date FROM myapp_person')
|
|
...
|
|
>>> Person.objects.raw('SELECT last_name, birth_date, first_name, id FROM myapp_person')
|
|
...
|
|
|
|
Matching is done by name. This means that you can use SQL's ``AS`` clauses to
|
|
map fields in the query to model fields. So if you had some other table that
|
|
had ``Person`` data in it, you could easily map it into ``Person`` instances::
|
|
|
|
>>> Person.objects.raw('''SELECT first AS first_name,
|
|
... last AS last_name,
|
|
... bd AS birth_date,
|
|
... pk AS id,
|
|
... FROM some_other_table''')
|
|
|
|
As long as the names match, the model instances will be created correctly.
|
|
|
|
Alternatively, you can map fields in the query to model fields using the
|
|
``translations`` argument to ``raw()``. This is a dictionary mapping names of
|
|
fields in the query to names of fields on the model. For example, the above
|
|
query could also be written::
|
|
|
|
>>> name_map = {'first': 'first_name', 'last': 'last_name', 'bd': 'birth_date', 'pk': 'id'}
|
|
>>> Person.objects.raw('SELECT * FROM some_other_table', translations=name_map)
|
|
|
|
Index lookups
|
|
-------------
|
|
|
|
``raw()`` supports indexing, so if you need only the first result you can
|
|
write::
|
|
|
|
>>> first_person = Person.objects.raw('SELECT * FROM myapp_person')[0]
|
|
|
|
However, the indexing and slicing are not performed at the database level. If
|
|
you have a large number of ``Person`` objects in your database, it is more
|
|
efficient to limit the query at the SQL level::
|
|
|
|
>>> first_person = Person.objects.raw('SELECT * FROM myapp_person LIMIT 1')[0]
|
|
|
|
Deferring model fields
|
|
----------------------
|
|
|
|
Fields may also be left out::
|
|
|
|
>>> people = Person.objects.raw('SELECT id, first_name FROM myapp_person')
|
|
|
|
The ``Person`` objects returned by this query will be deferred model instances
|
|
(see :meth:`~django.db.models.query.QuerySet.defer()`). This means that the
|
|
fields that are omitted from the query will be loaded on demand. For example::
|
|
|
|
>>> for p in Person.objects.raw('SELECT id, first_name FROM myapp_person'):
|
|
... print(p.first_name, # This will be retrieved by the original query
|
|
... p.last_name) # This will be retrieved on demand
|
|
...
|
|
John Smith
|
|
Jane Jones
|
|
|
|
From outward appearances, this looks like the query has retrieved both
|
|
the first name and last name. However, this example actually issued 3
|
|
queries. Only the first names were retrieved by the raw() query -- the
|
|
last names were both retrieved on demand when they were printed.
|
|
|
|
There is only one field that you can't leave out - the primary key
|
|
field. Django uses the primary key to identify model instances, so it
|
|
must always be included in a raw query. An ``InvalidQuery`` exception
|
|
will be raised if you forget to include the primary key.
|
|
|
|
Adding annotations
|
|
------------------
|
|
|
|
You can also execute queries containing fields that aren't defined on the
|
|
model. For example, we could use `PostgreSQL's age() function`__ to get a list
|
|
of people with their ages calculated by the database::
|
|
|
|
>>> people = Person.objects.raw('SELECT *, age(birth_date) AS age FROM myapp_person')
|
|
>>> for p in people:
|
|
... print("%s is %s." % (p.first_name, p.age))
|
|
John is 37.
|
|
Jane is 42.
|
|
...
|
|
|
|
__ https://www.postgresql.org/docs/current/static/functions-datetime.html
|
|
|
|
Passing parameters into ``raw()``
|
|
---------------------------------
|
|
|
|
If you need to perform parameterized queries, you can use the ``params``
|
|
argument to ``raw()``::
|
|
|
|
>>> lname = 'Doe'
|
|
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])
|
|
|
|
``params`` is a list or dictionary of parameters. You'll use ``%s``
|
|
placeholders in the query string for a list, or ``%(key)s``
|
|
placeholders for a dictionary (where ``key`` is replaced by a
|
|
dictionary key, of course), regardless of your database engine. Such
|
|
placeholders will be replaced with parameters from the ``params``
|
|
argument.
|
|
|
|
.. note::
|
|
|
|
Dictionary params are not supported with the SQLite backend; with
|
|
this backend, you must pass parameters as a list.
|
|
|
|
.. warning::
|
|
|
|
**Do not use string formatting on raw queries or quote placeholders in your
|
|
SQL strings!**
|
|
|
|
It's tempting to write the above query as::
|
|
|
|
>>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname
|
|
>>> Person.objects.raw(query)
|
|
|
|
You might also think you should write your query like this (with quotes
|
|
around ``%s``)::
|
|
|
|
>>> query = "SELECT * FROM myapp_person WHERE last_name = '%s'"
|
|
|
|
**Don't make either of these mistakes.**
|
|
|
|
As discussed in :ref:`sql-injection-protection`, using the ``params``
|
|
argument and leaving the placeholders unquoted protects you from `SQL
|
|
injection attacks`__, a common exploit where attackers inject arbitrary
|
|
SQL into your database. If you use string interpolation or quote the
|
|
placeholder, you're at risk for SQL injection.
|
|
|
|
__ https://en.wikipedia.org/wiki/SQL_injection
|
|
|
|
.. _executing-custom-sql:
|
|
|
|
Executing custom SQL directly
|
|
=============================
|
|
|
|
Sometimes even :meth:`Manager.raw` isn't quite enough: you might need to
|
|
perform queries that don't map cleanly to models, or directly execute
|
|
``UPDATE``, ``INSERT``, or ``DELETE`` queries.
|
|
|
|
In these cases, you can always access the database directly, routing around
|
|
the model layer entirely.
|
|
|
|
The object ``django.db.connection`` represents the default database
|
|
connection. To use the database connection, call ``connection.cursor()`` to
|
|
get a cursor object. Then, call ``cursor.execute(sql, [params])`` to execute
|
|
the SQL and ``cursor.fetchone()`` or ``cursor.fetchall()`` to return the
|
|
resulting rows.
|
|
|
|
For example::
|
|
|
|
from django.db import connection
|
|
|
|
def my_custom_sql(self):
|
|
with connection.cursor() as cursor:
|
|
cursor.execute("UPDATE bar SET foo = 1 WHERE baz = %s", [self.baz])
|
|
cursor.execute("SELECT foo FROM bar WHERE baz = %s", [self.baz])
|
|
row = cursor.fetchone()
|
|
|
|
return row
|
|
|
|
To protect against SQL injection, you must not include quotes around the ``%s``
|
|
placeholders in the SQL string.
|
|
|
|
Note that if you want to include literal percent signs in the query, you have to
|
|
double them in the case you are passing parameters::
|
|
|
|
cursor.execute("SELECT foo FROM bar WHERE baz = '30%'")
|
|
cursor.execute("SELECT foo FROM bar WHERE baz = '30%%' AND id = %s", [self.id])
|
|
|
|
If you are using :doc:`more than one database </topics/db/multi-db>`, you can
|
|
use ``django.db.connections`` to obtain the connection (and cursor) for a
|
|
specific database. ``django.db.connections`` is a dictionary-like
|
|
object that allows you to retrieve a specific connection using its
|
|
alias::
|
|
|
|
from django.db import connections
|
|
with connections['my_db_alias'].cursor() as cursor:
|
|
# Your code here...
|
|
|
|
By default, the Python DB API will return results without their field names,
|
|
which means you end up with a ``list`` of values, rather than a ``dict``. At a
|
|
small performance and memory cost, you can return results as a ``dict`` by
|
|
using something like this::
|
|
|
|
def dictfetchall(cursor):
|
|
"Return all rows from a cursor as a dict"
|
|
columns = [col[0] for col in cursor.description]
|
|
return [
|
|
dict(zip(columns, row))
|
|
for row in cursor.fetchall()
|
|
]
|
|
|
|
Another option is to use :func:`collections.namedtuple` from the Python
|
|
standard library. A ``namedtuple`` is a tuple-like object that has fields
|
|
accessible by attribute lookup; it's also indexable and iterable. Results are
|
|
immutable and accessible by field names or indices, which might be useful::
|
|
|
|
from collections import namedtuple
|
|
|
|
def namedtuplefetchall(cursor):
|
|
"Return all rows from a cursor as a namedtuple"
|
|
desc = cursor.description
|
|
nt_result = namedtuple('Result', [col[0] for col in desc])
|
|
return [nt_result(*row) for row in cursor.fetchall()]
|
|
|
|
Here is an example of the difference between the three::
|
|
|
|
>>> cursor.execute("SELECT id, parent_id FROM test LIMIT 2");
|
|
>>> cursor.fetchall()
|
|
((54360982, None), (54360880, None))
|
|
|
|
>>> cursor.execute("SELECT id, parent_id FROM test LIMIT 2");
|
|
>>> dictfetchall(cursor)
|
|
[{'parent_id': None, 'id': 54360982}, {'parent_id': None, 'id': 54360880}]
|
|
|
|
>>> cursor.execute("SELECT id, parent_id FROM test LIMIT 2");
|
|
>>> results = namedtuplefetchall(cursor)
|
|
>>> results
|
|
[Result(id=54360982, parent_id=None), Result(id=54360880, parent_id=None)]
|
|
>>> results[0].id
|
|
54360982
|
|
>>> results[0][0]
|
|
54360982
|
|
|
|
Connections and cursors
|
|
-----------------------
|
|
|
|
``connection`` and ``cursor`` mostly implement the standard Python DB-API
|
|
described in :pep:`249` — except when it comes to :doc:`transaction handling
|
|
</topics/db/transactions>`.
|
|
|
|
If you're not familiar with the Python DB-API, note that the SQL statement in
|
|
``cursor.execute()`` uses placeholders, ``"%s"``, rather than adding
|
|
parameters directly within the SQL. If you use this technique, the underlying
|
|
database library will automatically escape your parameters as necessary.
|
|
|
|
Also note that Django expects the ``"%s"`` placeholder, *not* the ``"?"``
|
|
placeholder, which is used by the SQLite Python bindings. This is for the sake
|
|
of consistency and sanity.
|
|
|
|
Using a cursor as a context manager::
|
|
|
|
with connection.cursor() as c:
|
|
c.execute(...)
|
|
|
|
is equivalent to::
|
|
|
|
c = connection.cursor()
|
|
try:
|
|
c.execute(...)
|
|
finally:
|
|
c.close()
|
|
|
|
Calling stored procedures
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. method:: CursorWrapper.callproc(procname, params=None, kparams=None)
|
|
|
|
Calls a database stored procedure with the given name. A sequence
|
|
(``params``) or dictionary (``kparams``) of input parameters may be
|
|
provided. Most databases don't support ``kparams``. Of Django's built-in
|
|
backends, only Oracle supports it.
|
|
|
|
For example, given this stored procedure in an Oracle database:
|
|
|
|
.. code-block:: sql
|
|
|
|
CREATE PROCEDURE "TEST_PROCEDURE"(v_i INTEGER, v_text NVARCHAR2(10)) AS
|
|
p_i INTEGER;
|
|
p_text NVARCHAR2(10);
|
|
BEGIN
|
|
p_i := v_i;
|
|
p_text := v_text;
|
|
...
|
|
END;
|
|
|
|
This will call it::
|
|
|
|
with connection.cursor() as cursor:
|
|
cursor.callproc('test_procedure', [1, 'test'])
|