Skip to content

raw_sql #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
stsouko opened this issue Jul 1, 2015 · 2 comments
Closed

raw_sql #132

stsouko opened this issue Jul 1, 2015 · 2 comments
Milestone
0.6.2

Comments

@stsouko
Copy link

stsouko commented Jul 1, 2015 

select(x for x in A if raw_sql("x.s LIKE 'some'"))

works fine, but

rs = "x.s LIKE %s'" % 'some'
select(x for x in A if raw_sql(rs))

or

select(x for x in A if raw_sql("x.s LIKE %s'" % 'some'))

don't
@kozlovsky
Copy link
Member

Currently raw_sql argument should be constant string. But this string can refer to external variables or expressions using the $ syntax. You can write:

param = 'aaa'
select(x for x in A if raw_sql("x.s LIKE $param"))

or even

select(x for x in A if raw_sql("x.s LIKE $(request.args['arg1'])"))

Each $x variable or $(a+b) expression is translated into query parameter. This way is much better then direct substitution of raw values into SQL command for two reasons: (1) SQL command can be cached and (2) Query parameters API totally excludes the possibility of SQL injection.

kozlovsky added a commit that referenced this issue Oct 5, 2015
@kozlovsky
Fixes #132, fixes #145: New implementation of raw_sql()
e54ac7a
@kozlovsky
Copy link
Member

We completely rewrote raw_sql() implementation. Now it is possible to do the following:

  1. Use $parameters inside a raw_sql string:
s = 'J%'
select(p for p in Person if raw_sql('p.name LIKE $s'))
  1. Inline complex Python expressions into raw_sql fragments:
import datetime
select(t for t in Task if raw_sql("t.due_date < date($datetime.date.today(), '+1 day')"))
  1. Use dynamically generated strings as a parameter to raw_sql:
x = 100
s = '"p"."price" > $x'
select(p for p in Product if raw_sql(s))

or

x = 100
s = '"p"."price" > $x'
raw = raw_sql(s)
select(p for p in Product if raw)
  1. raw_sql as a query result:
select(raw_sql('UPPER(p.name)') for p in Person)

See tests for more examples: https://github.com/ponyorm/pony/blob/orm/pony/orm/tests/test_raw_sql.py

kozlovsky added a commit that referenced this issue Jan 11, 2016
@kozlovsky
Pony ORM Release 0.6.2 (2015-01-11)
ab09f64 
The documentation was moved from this repo to a separate one at https://github.com/ponyorm/pony-doc
The compiled version can be found at https://docs.ponyorm.com

# New features

* Python 3.5 support
* #132, #145: raw_sql() function was added
* #126: Ability to use @db_session with generator functions
* #116: Add support to select by UUID
* Ability to get string SQL statement using the Query.get_sql() method
* New function delete(gen) and Query.delete(bulk=False)
* Now it is possible to override Entity.__init__() and declare custom entity methods

# Backward incompatible changes

* Normalizing table names for symmetric relationships
* Autostrip - automatically remove leading and trailing characters

# Bugfixes

* #87: Pony fails with pymysql installed as MySQLdb
* #118: Pony should reconnect if previous connection was created before process was forked
* #121: Unable to update value of unique attribute
* #122: AssertionError when changing part of a composite key
* #127: a workaround for incorrect pysqlite locking behavior
* #136: Cascade delete does not work correctly for one-to-one relationships
* #141, #143: remove restriction on adding new methods to entities
* #142: Entity.select_random() AssertionError
* #147: Add 'atom_expr' symbol handling for Python 3.5 grammar
@kozlovsky kozlovsky added this to the 0.6.2 milestone Jan 11, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.6.2
Development

No branches or pull requests
2 participants
@stsouko @kozlovsky