diff options
| author | Simon Charette <charette.s@gmail.com> | 2026-02-01 16:53:54 -0500 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-03-19 12:24:17 -0400 |
| commit | f05fac88c4699c6d04a8f1ac3328cf6c7bd39228 (patch) | |
| tree | 2399222aaed0ad6d9e466e914d178f08cd6e8337 /docs/releases | |
| parent | 4b2b4bf0ac2707dc9c4d51cabfa72168eaea95fe (diff) | |
Fixed #36795 -- Enforced quoting of all database object names.
This ensures all database identifiers are quoted independently of their orign
and most importantly that user provided aliases through annotate() and alias()
which paves the way for dropping the allow list of characters such aliases can
contain.
This will require adjustments to raw SQL interfaces such as RawSQL that might
make reference to ORM managed annotations as these will now be quoted.
The `SQLCompiler.quote_name_unless_alias` method is kept for now as an alias
for the newly introduced `.quote_name` method but will be duly deprecated in
a follow up commit.
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/6.1.txt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/releases/6.1.txt b/docs/releases/6.1.txt index 1bd4f091aa..56b11deb80 100644 --- a/docs/releases/6.1.txt +++ b/docs/releases/6.1.txt @@ -434,6 +434,16 @@ backends. instead of the JSON ``null`` primitive. This matches the behavior of a standalone :class:`~django.db.models.JSONField` when storing ``None`` values. +Models +------ + +* SQL ``SELECT`` aliases originating from :meth:`.QuerySet.annotate` + calls as well as table and ``JOIN`` aliases are now systematically quoted to + prevent special character collisions. Because quoted aliases are + case-sensitive, *raw* SQL references to aliases mixing case, such as when + using :class:`.RawSQL`, might have to be adjusted to also make use of + quoting. + System checks ------------- |