django http://cgit.adnoto.dev/django.git/atom?h=main 2026-03-19T16:24:17Z 2026-03-19T16:24:17Z Simon Charette charette.s@gmail.com 2026-03-16T03:31:18Z urn:sha1:1786cd881ff4ad9458d56180ae555d92c14e5af8 It has been superseded with .quote_name(), which ensures aliases are always quoted. 2026-03-19T16:24:17Z Simon Charette charette.s@gmail.com 2026-02-01T21:53:54Z urn:sha1:f05fac88c4699c6d04a8f1ac3328cf6c7bd39228 This ensures all database identifiers are quoted independently of their orign and most importantly that user provided aliases through annotate() and alias() which paves the way for dropping the allow list of characters such aliases can contain. This will require adjustments to raw SQL interfaces such as RawSQL that might make reference to ORM managed annotations as these will now be quoted. The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias for the newly introduced `.quote_name` method but will be duly deprecated in a follow up commit. 2026-03-13T00:01:02Z Simon Charette charette.s@gmail.com 2025-11-22T18:32:34Z urn:sha1:1a8fd5cf75bf855852f6bc2f75c3da9f7b145669 The lack of ability of the get_placeholder call chain to return SQL and parameters separated so they can be mogrified by the backend at execution time forced implementations to dangerously interpolate potentially user controlled values. The get_placeholder_sql name was chosen due to its proximity to the previous method, but other options such as Field.as_sql were considered but ultimately rejected due to its different input signature compared to Expression.as_sql that might have lead to confusion. There is a lot of overlap between what Field.get_db_prep_value and get_placeholder_sql do but folding the latter in the former would require changing its return signature to return expression which is a way more invasive change than what is proposed here. Given we always call get_db_prep_value it might still be an avenue worth exploring in the future to offer a publicly documented interface to allow field to take an active part in the compilation chain. Thanks Jacob for the review. 2026-02-03T12:55:33Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T22:53:52Z urn:sha1:69065ca869b0970dff8fdd8fafb390bf8b3bf222 Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. 2026-01-09T19:03:28Z YashRaj1506 yashraj504300@gmail.com 2026-01-04T11:07:23Z urn:sha1:9247410b4ba3b1f855567b8d84422d36345c690a Thanks Adam Sołtysik for the implementation idea. 2026-01-06T20:15:56Z VIZZARD-X vigneshanandmay13@gmail.com 2025-11-25T18:19:56Z urn:sha1:c68e4adea0703354508d51895b091771b1f6ac45 2025-12-04T16:37:22Z Tim Graham timograham@gmail.com 2025-12-03T23:06:53Z urn:sha1:17d644c8e257c2ea5cc738fb7a9c47989e29bf09 This is also applicable on CockroachDB. 2025-10-29T11:38:20Z Jacob Walls jacobtylerwalls@gmail.com 2025-10-27T16:27:30Z urn:sha1:787cc96ef6197d73c7d4ad96f25500910c399603 2025-10-24T19:51:39Z Ken Nzioka nzioker@gmail.com 2025-10-22T07:48:23Z urn:sha1:3ff32c50d143d8a498f9a5dfef1a31b16a7456fe 2025-09-13T22:27:49Z Simon Charette charette.s@gmail.com 2025-03-19T05:11:34Z urn:sha1:55a0073b3beb9de8f7c1f7c44a7d0bc10126c841 This required implementing UPDATE RETURNING machinery that heavily borrows from the INSERT one.