summaryrefslogtreecommitdiff
path: root/django/db/models/sql
AgeCommit message (Collapse)Author
2026-06-10Fixed #37142 -- Moved django_file_prefixes() to django.utils.warnings.zhengkangyang
2026-05-18Refs #37097 -- Removed compilation-time order clearing on combined queries ↵Jacob Walls
on Oracle. Thanks Simon Charette, JaeHyuck Sa, and Shai Berger for reviews.
2026-05-18Refs #36938 -- Reverted "Refs #36938 -- Tolerated unnecessary ordering in ↵Jacob Walls
compound queries on SQLite." This mostly reverts 2314cdf1ff860058a6579bb9f9bac1253fc9ab43, but keeps the removal of some test skips.
2026-05-18Fixed #37097 -- Made Query.clear_ordering() clear ordering on combined ↵Jacob Walls
queries also. Thanks Shai Berger for the report. Regression in 087bb9e8f3478d53f12b1737af865992af17c5f2. (That commit drove more traffic into an error that would have been reachable only with an explicit order_by() after each union().) Co-authored-by: Simon Charette <charettes@gmail.com> Co-authored-by: siddus <dcsid10@gmail.com>
2026-05-11Refs #36938 -- Tolerated unnecessary ordering in compound queries on SQLite.Jacob Walls
2026-05-11Fixed #36938 -- Removed unnecessary ordering from compound queries.siddus
2026-04-19Fixed #37047 -- Fixed crash in Query.orderby_issubset_groupby for descending ↵Anže Pečar
and random order_by strings. Run this example: ```python User.objects.values("is_staff").annotate(latest=Max("date_joined")).order_by("-latest").count() ``` You should see the following exception: ``` django.core.exceptions.FieldError: Cannot resolve keyword '-latest' into field. ``` Regression in 2ce5cb0f7a4618dfdc5f5c10e53e2e9b9543d298.
2026-04-02Fixed #20024 -- Fixed handling of __in lookups with None in exclude().Eddy Adegnandjou
Thanks Simon Charette and Tim Graham for reviews, and Jason Hall for a prior iteration.
2026-03-19Refs #36795 -- Deprecated SQLCompiler.quote_name_unless_alias().Simon Charette
It has been superseded with .quote_name(), which ensures aliases are always quoted.
2026-03-19Fixed #36795 -- Enforced quoting of all database object names.Simon Charette
This ensures all database identifiers are quoted independently of their orign and most importantly that user provided aliases through annotate() and alias() which paves the way for dropping the allow list of characters such aliases can contain. This will require adjustments to raw SQL interfaces such as RawSQL that might make reference to ORM managed annotations as these will now be quoted. The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias for the newly introduced `.quote_name` method but will be duly deprecated in a follow up commit.
2026-03-12Fixed #36727 -- Deprecated Field.get_placeholder in favor of ↵Simon Charette
get_placeholder_sql. The lack of ability of the get_placeholder call chain to return SQL and parameters separated so they can be mogrified by the backend at execution time forced implementations to dangerously interpolate potentially user controlled values. The get_placeholder_sql name was chosen due to its proximity to the previous method, but other options such as Field.as_sql were considered but ultimately rejected due to its different input signature compared to Expression.as_sql that might have lead to confusion. There is a lot of overlap between what Field.get_db_prep_value and get_placeholder_sql do but folding the latter in the former would require changing its return signature to return expression which is a way more invasive change than what is proposed here. Given we always call get_db_prep_value it might still be an avenue worth exploring in the future to offer a publicly documented interface to allow field to take an active part in the compilation chain. Thanks Jacob for the review.
2026-02-03Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases ↵Jacob Walls
contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795.
2026-02-03Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases ↵Jacob Walls
with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-01-16Fixed #36352 -- Improved error message for fields excluded by prior ↵JaeHyuck Sa
values()/values_list() calls. Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2026-01-14Fixed #36821 -- Treated empty strings as NULL for iexact lookups on Oracle.JaeHyuck Sa
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2026-01-09Fixed #36815 -- Optimized insertion of db_default fields in bulk_create().YashRaj1506
Thanks Adam Sołtysik for the implementation idea.
2026-01-06Fixed #29257 -- Caught DatabaseError when attempting to close a possibly ↵VIZZARD-X
already-closed cursor.
2025-12-15Fixed #26434 -- Removed faulty clearing of ordering field when missing from ↵Michal Mládek
explicit grouping. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-12-04Added DatabaseFeatures.prohibits_dollar_signs_in_column_aliases.Tim Graham
This is also applicable on CockroachDB.
2025-10-29Refs #35972 -- Returned params in a tuple in further lookups.Jacob Walls
2025-10-28Reverted "Fixed #26434 -- Removed faulty clearing of ordering field when ↵Jacob Walls
missing from explicit grouping." This reverts commit ea3a71c2d09f8281d8a50ed20e40e1fb13db5cd9. The implementation was flawed, as self.group_by contains Cols, not aliases.
2025-10-27Fixed #26434 -- Removed faulty clearing of ordering field when missing from ↵Michal Mládek
explicit grouping. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-10-24Fixed #36674 -- Fixed memory leak in select_related().Ken Nzioka
2025-10-01Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), ↵Mariusz Felisiak
and extra() against SQL injection in column aliases on MySQL/MariaDB. Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200.
2025-09-22Fixed #35453 -- Made ManyToManyField.concrete False.Ryan P Kilby
ManyToManyField was already excluded from fields, concrete_fields, and local_concrete_fields in Options.
2025-09-22Fixed #36480 -- Made values() resolving error mention unselected aliases.Shubham Singh
Follow-up to cb13792938f2c887134eb6b5164d89f8d8f9f1bd. Refs #34437.
2025-09-19Refs #36152, #35667 -- Used skip_file_prefixes in alias deprecation warning.Jacob Walls
Follow-up to 8ede411a81b40ca53362e6788601193c7e56a0cf.
2025-09-19Fixed #36584, Refs #36149 -- Allowed subquery values against tuple in lookup ↵사재혁
via ForeignObject.
2025-09-14Refs #27222 -- Refreshed GeneratedFields values on save() initiated update.Simon Charette
This required implementing UPDATE RETURNING machinery that heavily borrows from the INSERT one.
2025-09-04Fixed #36481 -- Fixed QuerySet.update concrete fields check.Ryan P Kilby
FieldError is now emitted for invalid update calls involving reverse relations, where previously they failed with AttributeError.
2025-09-03Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL injection in ↵Jake Howard
column aliases. Thanks Eyal Gabay (EyalSec) for the report.
2025-08-29Fixed #36431 -- Returned tuples for multi-column ForeignObject in ↵SaJH
values()/values_list(). Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH <wogur981208@gmail.com>
2025-08-29Refs #36152 -- Suppressed duplicate warning when using "%" in alias via ↵Jacob Walls
values().
2025-08-28Refs #27222 -- Adapted RETURNING handling to be usable for UPDATE queries.Simon Charette
Renamed existing methods and abstractions used for INSERT … RETURNING to be generic enough to be used in the context of UPDATEs as well. This also consolidates SQL compliant implementations on BaseDatabaseOperations.
2025-08-07Fixed #36210, Refs #36181 -- Allowed Subquery usage in further lookups ↵Jacob Walls
against composite pks. Follow-up to 8561100425876bde3be4b2a22324655f74ff9609. Co-authored-by: Simon Charette <charette.s@gmail.com>
2025-07-23Refs #36500 -- Corrected rewrapped long lines fixed via a script.Mike Edmunds
Manually reformatted some comments and docstrings where autofix_w505.py changed the meaning of the formatting.
2025-07-23Refs #36500 -- Rewrapped long docstrings and block comments via a script.django-bot
Rewrapped long docstrings and block comments to 79 characters + newline using script from https://github.com/medmunds/autofix-w505.
2025-06-20Fixed #36152 -- Deprecated use of "%" in column aliases.Jacob Walls
Unintentional support existed only on SQLite and Oracle.
2025-06-12Fixed #36442 -- Cloned FilteredRelation before rename_prefix_from_q.viliam mihalik
2025-05-16Fixed #36392 -- Raised ValueError when subquery referencing composite pk ↵Jacob Walls
selects too many columns.
2025-04-07Fixed #36301 -- Fixed select_for_update(of) crash when using ↵Simon Charette
values()/values_list(). Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which allowed for annotations to be SELECT'ed before model field references through values()/values_list() and broke assumptions the select_for_update(of) table infererence logic had about model fields always being first. Refs #28900. Thanks OutOfFocus4 for the report and Sarah for the test.
2025-04-05Fixed #36299 -- Prevented field selection on QuerySet.alias() after values().Simon Charette
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Jeff Iadarola for the report and tests. Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>
2025-04-03Fixed #36292 -- Fixed crash when aggregating over a group mixing transforms ↵Simon Charette
and references. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900 Thanks Patrick Altman for the report.
2025-03-31Refs #28909 -- Simplified code using unpacking generalizations.Aarni Koskela
2025-02-13Refs #36181 -- Removed the obsolete SubqueryConstraint machinery.Simon Charette
Adding proper support for subquery right-hand-sides to TupleIn made it obsolete.
2025-02-11Fixed #36149 -- Allowed subquery values against tuple exact and in lookups.Simon Charette
Non-tuple exact and in lookups have specialized logic for subqueries that can be adapted to properly assign select mask if unspecified and ensure the number of involved members are matching on both side of the operator.
2025-02-06Fixed #35677 -- Avoided non-sticky filtering of prefetched many-to-many.Simon Charette
The original queryset._next_is_sticky() call never had the intended effect as no further filtering was applied internally after the pk__in lookup making it a noop. In order to be coherent with how related filters are applied when retrieving objects from a related manager the effects of what calling _next_is_sticky() prior to applying annotations and filters to the queryset provided for prefetching are emulated by allowing the reuse of all pre-existing JOINs. Thanks David Glenck and Thiago Bellini Ribeiro for the detailed reports and tests.
2025-02-01Fixed #36088 -- Avoided unnecessary DEFAULT usage on bulk_create().Simon Charette
When all values of a field with a db_default are DatabaseDefault, which is the case most of the time, there is no point in specifying explicit DEFAULT for all INSERT VALUES as that's what the database will do anyway if not specified. In the case of PostgreSQL doing so can even be harmful as it prevents the usage of the UNNEST strategy and in the case of Oracle, which doesn't support the usage of the DEFAULT keyword, it unnecessarily requires providing literal db defaults. Thanks Lily Foote for the review.
2025-01-28Fixed #36122 -- Raised FieldError when updating with composite reference value.Simon Charette
Thanks Jacob Walls for the report and test.