<feed xmlns='http://www.w3.org/2005/Atom'>
<title>chango.git/django/db/models/sql/compiler.py, branch devmain</title>
<subtitle>django
</subtitle>
<id>http://cgit.adnoto.dev/chango.git/atom?h=devmain</id>
<link rel='self' href='http://cgit.adnoto.dev/chango.git/atom?h=devmain'/>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/'/>
<updated>2026-06-10T14:17:34Z</updated>
<entry>
<title>Fixed #37142 -- Moved django_file_prefixes() to django.utils.warnings.</title>
<updated>2026-06-10T14:17:34Z</updated>
<author>
<name>zhengkangyang</name>
<email>1872483761@qq.com</email>
</author>
<published>2026-06-06T08:17:24Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=f970a98e464320c09dde8d45009eadfb4d038a57'/>
<id>urn:sha1:f970a98e464320c09dde8d45009eadfb4d038a57</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Refs #37097 -- Removed compilation-time order clearing on combined queries on Oracle.</title>
<updated>2026-05-18T21:06:14Z</updated>
<author>
<name>Jacob Walls</name>
<email>jacobtylerwalls@gmail.com</email>
</author>
<published>2026-05-13T14:31:27Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=fbe902d4a4b8b9dcb371509b25ba8feff3852e64'/>
<id>urn:sha1:fbe902d4a4b8b9dcb371509b25ba8feff3852e64</id>
<content type='text'>
Thanks Simon Charette, JaeHyuck Sa, and Shai Berger for reviews.
</content>
</entry>
<entry>
<title>Refs #36938 -- Reverted "Refs #36938 -- Tolerated unnecessary ordering in compound queries on SQLite."</title>
<updated>2026-05-18T21:06:14Z</updated>
<author>
<name>Jacob Walls</name>
<email>jacobtylerwalls@gmail.com</email>
</author>
<published>2026-05-13T14:31:39Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=6bbe2656e1e89a03d1ae8f2cea7bdd2a027f0665'/>
<id>urn:sha1:6bbe2656e1e89a03d1ae8f2cea7bdd2a027f0665</id>
<content type='text'>
This mostly reverts 2314cdf1ff860058a6579bb9f9bac1253fc9ab43,
but keeps the removal of some test skips.
</content>
</entry>
<entry>
<title>Refs #36938 -- Tolerated unnecessary ordering in compound queries on SQLite.</title>
<updated>2026-05-11T18:50:40Z</updated>
<author>
<name>Jacob Walls</name>
<email>jacobtylerwalls@gmail.com</email>
</author>
<published>2026-05-11T16:07:20Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=2314cdf1ff860058a6579bb9f9bac1253fc9ab43'/>
<id>urn:sha1:2314cdf1ff860058a6579bb9f9bac1253fc9ab43</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Fixed #36938 -- Removed unnecessary ordering from compound queries.</title>
<updated>2026-05-11T18:50:40Z</updated>
<author>
<name>siddus</name>
<email>dcsid10@gmail.com</email>
</author>
<published>2026-04-13T15:32:43Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=9c655e98006dec4f4fd47a84c254f36404d631e4'/>
<id>urn:sha1:9c655e98006dec4f4fd47a84c254f36404d631e4</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Refs #36795 -- Deprecated SQLCompiler.quote_name_unless_alias().</title>
<updated>2026-03-19T16:24:17Z</updated>
<author>
<name>Simon Charette</name>
<email>charette.s@gmail.com</email>
</author>
<published>2026-03-16T03:31:18Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=1786cd881ff4ad9458d56180ae555d92c14e5af8'/>
<id>urn:sha1:1786cd881ff4ad9458d56180ae555d92c14e5af8</id>
<content type='text'>
It has been superseded with .quote_name(), which ensures aliases are
always quoted.
</content>
</entry>
<entry>
<title>Fixed #36795 -- Enforced quoting of all database object names.</title>
<updated>2026-03-19T16:24:17Z</updated>
<author>
<name>Simon Charette</name>
<email>charette.s@gmail.com</email>
</author>
<published>2026-02-01T21:53:54Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=f05fac88c4699c6d04a8f1ac3328cf6c7bd39228'/>
<id>urn:sha1:f05fac88c4699c6d04a8f1ac3328cf6c7bd39228</id>
<content type='text'>
This ensures all database identifiers are quoted independently of their orign
and most importantly that user provided aliases through annotate() and alias()
which paves the way for dropping the allow list of characters such aliases can
contain.

This will require adjustments to raw SQL interfaces such as RawSQL that might
make reference to ORM managed annotations as these will now be quoted.

The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias
for the newly introduced `.quote_name` method but will be duly deprecated in
a follow up commit.
</content>
</entry>
<entry>
<title>Fixed #36727 -- Deprecated Field.get_placeholder in favor of get_placeholder_sql.</title>
<updated>2026-03-13T00:01:02Z</updated>
<author>
<name>Simon Charette</name>
<email>charette.s@gmail.com</email>
</author>
<published>2025-11-22T18:32:34Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=1a8fd5cf75bf855852f6bc2f75c3da9f7b145669'/>
<id>urn:sha1:1a8fd5cf75bf855852f6bc2f75c3da9f7b145669</id>
<content type='text'>
The lack of ability of the get_placeholder call chain to return SQL and
parameters separated so they can be mogrified by the backend at execution time
forced implementations to dangerously interpolate potentially user controlled
values.

The get_placeholder_sql name was chosen due to its proximity to the previous
method, but other options such as Field.as_sql were considered but ultimately
rejected due to its different input signature compared to Expression.as_sql
that might have lead to confusion.

There is a lot of overlap between what Field.get_db_prep_value and
get_placeholder_sql do but folding the latter in the former would require
changing its return signature to return expression which is a way more invasive
change than what is proposed here.

Given we always call get_db_prep_value it might still be an avenue worth
exploring in the future to offer a publicly documented interface to allow field
to take an active part in the compilation chain.

Thanks Jacob for the review.
</content>
</entry>
<entry>
<title>Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases with periods.</title>
<updated>2026-02-03T12:55:33Z</updated>
<author>
<name>Jacob Walls</name>
<email>jacobtylerwalls@gmail.com</email>
</author>
<published>2026-01-21T22:53:52Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=69065ca869b0970dff8fdd8fafb390bf8b3bf222'/>
<id>urn:sha1:69065ca869b0970dff8fdd8fafb390bf8b3bf222</id>
<content type='text'>
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.

In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.

Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
</content>
</entry>
<entry>
<title>Fixed #36815 -- Optimized insertion of db_default fields in bulk_create().</title>
<updated>2026-01-09T19:03:28Z</updated>
<author>
<name>YashRaj1506</name>
<email>yashraj504300@gmail.com</email>
</author>
<published>2026-01-04T11:07:23Z</published>
<link rel='alternate' type='text/html' href='http://cgit.adnoto.dev/chango.git/commit/?id=9247410b4ba3b1f855567b8d84422d36345c690a'/>
<id>urn:sha1:9247410b4ba3b1f855567b8d84422d36345c690a</id>
<content type='text'>
Thanks Adam Sołtysik for the implementation idea.
</content>
</entry>
</feed>
