QuerySet.query中的潜在Django错误？ [英] Potential Django Bug In QuerySet.query?

问题描述

免责声明：我还在学习Django，所以我可能会在这里缺少一些东西，但是我看不到会是什么...

Disclaimer: I'm still learning Django, so I might be missing something here, but I can't see what it would be...

m运行Python 2.6.1和Django 1.2.1。

I'm running Python 2.6.1 and Django 1.2.1.

(InteractiveConsole)
>>> from myproject.myapp.models import *
>>> qs = Identifier.objects.filter(Q(key="a") | Q(key="b"))
>>> print qs.query
SELECT `app_identifier`.`id`, `app_identifier`.`user_id`, 
`app_identifier`.`key`, `app_identifier`.`value` FROM
`app_identifier` WHERE (`app_identifier`.`key` = a  OR
`app_identifier`.`key` = b )
>>>

请注意，它不会在a或b之间放置引号！现在，我确定查询执行很好。所以，实际上一定是这样做的。但是，打印出查询打印错误很麻烦。特别是如果我这样做了...

Notice that it doesn't put quotes around "a" or "b"! Now, I've determined that the query executes fine. So, in reality, it must be doing so. But, it's pretty annoying that printing out the query prints it wrong. Especially if I did something like this...

>>> qs = Identifier.objects.filter(Q(key=") AND") | Q(key="\"x\"); DROP TABLE      
                `app_identifier`"))
>>> print qs.query
SELECT `app_identifier`.`id`, `app_identifier`.`user_id`,
`app_identifier`.`key`, `app_identifier`.`value` FROM
`app_identifier` WHERE (`app_identifier`.`key` = ) AND  OR
`app_identifier`.`key` = "x"); DROP TABLE `app_identifier` )
>>> 

您可以看到，不仅可以创建完全格式不正确的SQL代码，而且还具有一个SQL注入攻击。现在，显然这实际上不会起作用，原因很多（1.语法错误，故意地显示Django行为的奇怪性。2. Django不会像这样执行查询，实际上把引号和斜杠和所有那些在那里像它应该是）。

Which, as you can see, not only creates completely malformed SQL code, but also has the seeds of a SQL injection attack. Now, obviously this wouldn't actually work, for quite a number of reasons (1. The syntax is all wrong, intentionally, to show the oddity of Django's behavior. 2. Django won't actually execute the query like this, it will actually put quotes and slashes and all that in there like it's supposed to).

但是，这真的使调试变得混乱，这让我想知道如果我的Django安装。

But, this really makes debugging confusing, and it makes me wonder if something's gone wrong with my Django installation.

这是否适合您？如果是/否，你有什么版本的Python和Django？

Does this happen for you? If so/not, what version of Python and Django do you have?

任何想法？

推荐答案

好的，我只是想出来了。这不是一个bug。浏览django / db / models / sql / query.py的来源：

Ok, I just figured it out. It's not a bug. Browsing the source of django/db/models/sql/query.py:

160     def __str__(self):
161         """
162         Returns the query as a string of SQL with the parameter values
163         substituted in.
164 
165         Parameter values won't necessarily be quoted correctly, since that is
166         done by the database interface at execution time.
167         """
168         sql, params = self.get_compiler(DEFAULT_DB_ALIAS).as_sql()
169         return sql % params

（ http://code.djangoproject.com/browser/django/trunk/django/db/models/sql/query.py ）

一切正常工作。 ：）

这篇关于QuerySet.query中的潜在Django错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！