On 31 loka, 21:23, Shai Berger <[email protected]> wrote: > Hi Michal and Django devs, > > While for the most part, Jacob is correct in marking this as a usage question, > there does appear to be something buggy here. > > Note how Michal is abusing the db_table setting to select a name with a > schema. He's looking for "protein_therapeutics" (<30) in "mnowotka": > > > class ProteinTherapeutics(models.Model): > > #... > > class Meta: > > db_table = 'mnowotka\".\"protein_therapeutics' > > This, almost worthy of being called an sql injection, can't be the right way > to achieve the goal. In fact, the Oracle backend (or even some higher, more > generic level) should have doubled those '"' characters to make them part of > the name. But -- save length issues -- the ploy succeeds: > > > ... > > (SELECT (1) AS "A" > > FROM "MNOWOTKA"."PROTEIN_THERAPEFB7C") "_SUB" > > ... > > This is definitely a bug. The correct output should have been > > ... > (SELECT (1) AS "A" > FROM "MNOWOTKA"".""PROTEIN_THERAPEFB7C") "_SUB" > ... > > As if this was the 'mnowotka"."protein_therapeutics' table in the current > schema (wouldn't work -- length 31), and not the protein_therapeutics table > (way shorter than 30) in the mnowotka schema, which is the intended target. > > I'm not sure -- perhaps the db_tablespace option is interpreted by the Oracle > backend as schema, which would allow what Michal is trying to do with a sane > API. Otherwise, I'd advise Michal to look at Oracle's table aliases, and mark > this also as a missing feature. > > But either way, not doubling quotes is a bug.
You can't have table names with '"' characters in them unless you quote the characters yourself. One instance of this is very intentional: if the table name is already quoted then Django doesn't add more quotes. This can be useful, and users are relying on that. I just have a feeling that this is not worth fixing. How common are " characters in table names? If you are using them in table names (not in the schema qualified name but in the table name itself), then you are just looking for trouble... Surprising, but name quoting (caused mostly by column name quoting) is clearly visible when profiling the ORM for certain type of queries. Lets not make it any slower for this... - Anssi -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
