summaryrefslogtreecommitdiff
path: root/django/db/models/sql
AgeCommit message (Collapse)Author
2025-10-01[6.0.x] Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), ↵Mariusz Felisiak
aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main.
2025-09-22[6.0.x] Fixed #35453 -- Made ManyToManyField.concrete False.Ryan P Kilby
ManyToManyField was already excluded from fields, concrete_fields, and local_concrete_fields in Options. Backport of f9a44cc0fac653f8e0c2ab1cdfb12b2cc5c63fc2 from main
2025-09-14Refs #27222 -- Refreshed GeneratedFields values on save() initiated update.Simon Charette
This required implementing UPDATE RETURNING machinery that heavily borrows from the INSERT one.
2025-09-04Fixed #36481 -- Fixed QuerySet.update concrete fields check.Ryan P Kilby
FieldError is now emitted for invalid update calls involving reverse relations, where previously they failed with AttributeError.
2025-09-03Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in ↵Jake Howard
column aliases. Thanks Eyal Gabay (EyalSec) for the report.
2025-08-29Fixed #36431 -- Returned tuples for multi-column ForeignObject in ↵SaJH
values()/values_list(). Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-29Refs #36152 -- Suppressed duplicate warning when using "%" in alias via ↵Jacob Walls
values().
2025-08-28Refs #27222 -- Adapted RETURNING handling to be usable for UPDATE queries.Simon Charette
Renamed existing methods and abstractions used for INSERT … RETURNING to be generic enough to be used in the context of UPDATEs as well. This also consolidates SQL compliant implementations on BaseDatabaseOperations.
2025-08-07Fixed #36210, Refs #36181 -- Allowed Subquery usage in further lookups ↵Jacob Walls
against composite pks. Follow-up to 8561100425876bde3be4b2a22324655f74ff9609. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-07-23Refs #36500 -- Corrected rewrapped long lines fixed via a script.Mike Edmunds
Manually reformatted some comments and docstrings where autofix_w505.py changed the meaning of the formatting.
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-06-20Fixed #36152 -- Deprecated use of "%" in column aliases.Jacob Walls
Unintentional support existed only on SQLite and Oracle.
2025-06-12Fixed #36442 -- Cloned FilteredRelation before rename_prefix_from_q.viliam mihalik
2025-05-16Fixed #36392 -- Raised ValueError when subquery referencing composite pk ↵Jacob Walls
selects too many columns.
2025-04-07Fixed #36301 -- Fixed select_for_update(of) crash when using ↵Simon Charette
values()/values_list(). Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which allowed for annotations to be SELECT'ed before model field references through values()/values_list() and broke assumptions the select_for_update(of) table infererence logic had about model fields always being first. Refs #28900. Thanks OutOfFocus4 for the report and Sarah for the test.
2025-04-05Fixed #36299 -- Prevented field selection on QuerySet.alias() after values().Simon Charette
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Jeff Iadarola for the report and tests. Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>
2025-04-03Fixed #36292 -- Fixed crash when aggregating over a group mixing transforms ↵Simon Charette
and references. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900 Thanks Patrick Altman for the report.
2025-03-31Refs #28909 -- Simplified code using unpacking generalizations.Aarni Koskela
2025-02-13Refs #36181 -- Removed the obsolete SubqueryConstraint machinery.Simon Charette
Adding proper support for subquery right-hand-sides to TupleIn made it obsolete.
2025-02-11Fixed #36149 -- Allowed subquery values against tuple exact and in lookups.Simon Charette
Non-tuple exact and in lookups have specialized logic for subqueries that can be adapted to properly assign select mask if unspecified and ensure the number of involved members are matching on both side of the operator.
2025-02-06Fixed #35677 -- Avoided non-sticky filtering of prefetched many-to-many.Simon Charette
The original queryset._next_is_sticky() call never had the intended effect as no further filtering was applied internally after the pk__in lookup making it a noop. In order to be coherent with how related filters are applied when retrieving objects from a related manager the effects of what calling _next_is_sticky() prior to applying annotations and filters to the queryset provided for prefetching are emulated by allowing the reuse of all pre-existing JOINs. Thanks David Glenck and Thiago Bellini Ribeiro for the detailed reports and tests.
2025-02-01Fixed #36088 -- Avoided unnecessary DEFAULT usage on bulk_create().Simon Charette
When all values of a field with a db_default are DatabaseDefault, which is the case most of the time, there is no point in specifying explicit DEFAULT for all INSERT VALUES as that's what the database will do anyway if not specified. In the case of PostgreSQL doing so can even be harmful as it prevents the usage of the UNNEST strategy and in the case of Oracle, which doesn't support the usage of the DEFAULT keyword, it unnecessarily requires providing literal db defaults. Thanks Lily Foote for the review.
2025-01-28Fixed #36122 -- Raised FieldError when updating with composite reference value.Simon Charette
Thanks Jacob Walls for the report and test.
2025-01-28Fixed #36120 -- Raised FieldError when targeting a composite primary key ↵Jacob Walls
field with QuerySet.update().
2025-01-27Fixed #36109 -- Fixed RecursionError when stacking FilteredRelation joins.Peter DeVita
2025-01-15Refs #16055 -- Removed get_joining_columns()/get_reverse_joining_columns() ↵Sarah Boyce
methods per deprecation timeline.
2025-01-13Fixed #36086 -- Fixed crash when using GeneratedField with non-AutoField pk.Simon Charette
The previous logic was systematically attempting to retrieve last_insert_id even for models without an AutoField primary key when they had a GeneratedField on backends that can't return columns from INSERT. The issue affected MySQL, SQLite < 3.35, and Oracle when the use_returning_into option was disabled and could result in either crashes when the non-auto primary key wasn't an IntegerField subclass or silent misassignment of bogus insert ids (0 or the previous auto primary key insert value) to the first defined generated field value.
2025-01-13Refs #373 -- Removed unused composite pk code in SQLInsertCompiler.Simon Charette
This logic could only be exercised if the composite primary key included an AutoField but it's not allowed yet (refs #35957). It was also slightly broken as it expected the AutoField to always be the first member of returning_fields.
2025-01-08Fixed #36065 -- Fixed ordering by expression referencing composite primary key.Simon Charette
Thanks Jacob Walls for the report and test and Csirmaz Bendegúz for the review.
2025-01-03Fixed #35918 -- Added support for execute_sql to directly return row counts.Raphael Gaschignard
2025-01-03Fixed #36029 -- Handled implicit exact lookups in condition depth checks for ↵Jacob Walls
FilteredRelation.
2024-12-11Refs #35936 -- Avoided field placeholder lookup for each value inserted.Simon Charette
By building the list of placeholders for each inserted fields once it doesn't have to be looked up for each inserted rows twice. The query_values_10000.benchmark.QueryValues10000.time_query_values_10000 ASV benchmark showed a 5% speed up for 10k items on SQLite for a single field insertion. Larger performance gains are expected when more fields are involved.
2024-11-29Fixed #373 -- Added CompositePrimaryKey.Bendeguz Csirmaz
Thanks Lily Foote and Simon Charette for reviews and mentoring this Google Summer of Code 2024 project. Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Lily Foote <code@lilyf.org>
2024-10-14Fixed #35744 -- Relabelled external aliases of combined queries.Simon Charette
Just like normal queries, combined queries' outer references might fully resolve before their reference is assigned its final alias. Refs #29338. Thanks Antony_K for the report and example, and thanks Mariusz Felisiak for the review.
2024-08-12Fixed #35586 -- Added support for set-returning database functions.Devin Cox
Aggregation optimization didn't account for not referenced set-returning annotations on Postgres. Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-06Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks ↵Simon Charette
against JSON fields. Thanks Eyal (eyalgabay) for the report.
2024-08-02Fixed #35643 -- Fixed a crash when ordering a QuerySet by a reference ↵Simon Charette
containing "__". Regression in b0ad41198b3e333f57351e3fce5a1fb47f23f376. Refs #34013. The initial logic did not consider that annotation aliases can include lookup or transform separators. Thanks Gert Van Gool for the report and Mariusz Felisiak for the review.
2024-08-01Refs #373 -- Added tuple lookups.Bendeguz Csirmaz
2024-07-23Fixed #35585 -- Corrected Query.exists() call in Query.has_results().Flavio Curella
2024-07-22Fixed #35614 -- Prevented SQLCompiler.as_subquery_condition() from mutating ↵Bendeguz Csirmaz
a query.
2024-07-19Fixed #35559 -- Avoided unnecessary query on sliced union of empty queries.Simon Charette
While refs #34125 focused on the SQL correctness of slicing of union of potentially empty queries it missed an optimization opportunity to avoid performing a query at all when all queries are empty. Thanks Lucidiot for the report.
2024-07-16Doc'd purpose of tuple() in SQLCompiler.get_from_clause().Tim Graham
It was added in 01d440fa1e6b5c62acfa8b3fde43dfa1505f93c6 to prevent "RuntimeError: OrderedDict mutated during iteration". That particular issue was fixed in d660cee5bc68b597503c2a16f3d9928d52f93fb4 but the issue could remain in Join.as_sql() subclasses. Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-07-15Removed leftover KeyError handling after Query.tables attribute cleanup.nessita
Follow up from f7f5edd50d03e8482f8a6da5fb5202b895d68cd6.
2024-07-09Fixed #35413 -- Made unsupported lookup error message more specific.wookkl
2024-07-03Refs #28900 -- Made Query.has_select_fields a computed property.Simon Charette
This should ensure it never drifts from Query.selected while maintaining backward compatibility.
2024-07-03Fixed #28900 -- Propagated all selected fields to combinator queries.Simon Charette
Previously, only the selected column aliases would be propagated and annotations were ignored.
2024-07-03Refs #28900 -- Made SELECT respect the order specified by values(*selected).Simon Charette
Previously the order was always extra_fields + model_fields + annotations with respective local ordering inferred from the insertion order of *selected. This commits introduces a new `Query.selected` propery that keeps tracks of the global select order as specified by on values assignment. This is crucial feature to allow the combination of queries mixing annotations and table references. It also allows the removal of the re-ordering shenanigans perform by ValuesListIterable in order to re-map the tuples returned from the database backend to the order specified by values_list() as they'll be in the right order at query compilation time. Refs #28553 as the initially reported issue that was only partially fixed for annotations by d6b6e5d0fd4e6b6d0183b4cf6e4bd4f9afc7bf67. Thanks Mariusz Felisiak and Sarah Boyce for review.
2024-06-25Used Query.add_annotation where appropriate.Simon Charette
This avoids manual .annotations and .append_annotation_mask manipulations.
2024-04-23Refs #35356 -- Clarified select related with masked field logic.Simon Charette
By always including related objects in the select mask via adjusting the defer logic (_get_defer_select_mask()), it becomes possible for select_related_descend() to treat forward and reverse relationships indistinctively. This work also simplifies and adds comments to select_related_descend() to make it easier to understand.
2024-04-23Fixed #35356 -- Deferred self-referential foreign key fields adequately.Simon Charette
While refs #34612 surfaced issues with reverse one-to-one fields deferrals, it missed that switching to storing remote fields would break self-referential relationships. This change switches to storing related objects in the select mask instead of remote fields to prevent collisions when dealing with self-referential relationships that might have a different directional mask. Despite fixing #21204 introduced a crash under some self-referential deferral conditions, it was simply not working even before that as it aggregated the sets of deferred fields by model. Thanks Joshua van Besouw for the report and Mariusz Felisiak for the review.