diff options
Diffstat (limited to 'django/core/meta/__init__.py')
-rw-r--r-- | django/core/meta/__init__.py | 168 |
1 files changed, 113 insertions, 55 deletions
diff --git a/django/core/meta/__init__.py b/django/core/meta/__init__.py index 22ce51d0a5..328a2f449c 100644 --- a/django/core/meta/__init__.py +++ b/django/core/meta/__init__.py @@ -57,14 +57,16 @@ def orderfield2column(f, opts): return f def orderlist2sql(order_list, opts, prefix=''): + if prefix.endswith('.'): + prefix = db.db.quote_name(prefix[:-1]) + '.' output = [] for f in handle_legacy_orderlist(order_list): if f.startswith('-'): - output.append('%s%s DESC' % (prefix, orderfield2column(f[1:], opts))) + output.append('%s%s DESC' % (prefix, db.db.quote_name(orderfield2column(f[1:], opts)))) elif f == '?': output.append(db.get_random_function_sql()) else: - output.append('%s%s ASC' % (prefix, orderfield2column(f, opts))) + output.append('%s%s ASC' % (prefix, db.db.quote_name(orderfield2column(f, opts)))) return ', '.join(output) def get_module(app_label, module_name): @@ -785,27 +787,31 @@ def method_save(opts, self): record_exists = True if pk_set: # Determine whether a record with the primary key already exists. - cursor.execute("SELECT 1 FROM %s WHERE %s=%%s LIMIT 1" % (opts.db_table, opts.pk.column), [pk_val]) + cursor.execute("SELECT 1 FROM %s WHERE %s=%%s LIMIT 1" % \ + (db.db.quote_name(opts.db_table), db.db.quote_name(opts.pk.column)), [pk_val]) # If it does already exist, do an UPDATE. if cursor.fetchone(): db_values = [f.get_db_prep_save(f.pre_save(getattr(self, f.attname), False)) for f in non_pks] - cursor.execute("UPDATE %s SET %s WHERE %s=%%s" % (opts.db_table, - ','.join(['%s=%%s' % f.column for f in non_pks]), opts.pk.attname), + cursor.execute("UPDATE %s SET %s WHERE %s=%%s" % \ + (db.db.quote_name(opts.db_table), + ','.join(['%s=%%s' % db.db.quote_name(f.column) for f in non_pks]), + db.db.quote_name(opts.pk.attname)), db_values + [pk_val]) else: record_exists = False if not pk_set or not record_exists: - field_names = [f.column for f in opts.fields if not isinstance(f, AutoField)] + field_names = [db.db.quote_name(f.column) for f in opts.fields if not isinstance(f, AutoField)] placeholders = ['%s'] * len(field_names) db_values = [f.get_db_prep_save(f.pre_save(getattr(self, f.attname), True)) for f in opts.fields if not isinstance(f, AutoField)] if opts.order_with_respect_to: - field_names.append('_order') + field_names.append(db.db.quote_name('_order')) # TODO: This assumes the database supports subqueries. placeholders.append('(SELECT COUNT(*) FROM %s WHERE %s = %%s)' % \ - (opts.db_table, opts.order_with_respect_to.column)) + (db.db.quote_name(opts.db_table), db.db.quote_name(opts.order_with_respect_to.column))) db_values.append(getattr(self, opts.order_with_respect_to.attname)) - cursor.execute("INSERT INTO %s (%s) VALUES (%s)" % (opts.db_table, - ','.join(field_names), ','.join(placeholders)), db_values) + cursor.execute("INSERT INTO %s (%s) VALUES (%s)" % \ + (db.db.quote_name(opts.db_table), ','.join(field_names), + ','.join(placeholders)), db_values) if opts.has_auto_field: setattr(self, opts.pk.attname, db.get_last_insert_id(cursor, opts.db_table, opts.pk.column)) db.db.commit() @@ -832,12 +838,17 @@ def method_delete(opts, self): for sub_obj in getattr(self, 'get_%s_list' % rel_opts_name)(): sub_obj.delete() for rel_opts, rel_field in opts.get_all_related_many_to_many_objects(): - cursor.execute("DELETE FROM %s WHERE %s_id=%%s" % (rel_field.get_m2m_db_table(rel_opts), - self._meta.object_name.lower()), [getattr(self, opts.pk.attname)]) + cursor.execute("DELETE FROM %s WHERE %s=%%s" % \ + (db.db.quote_name(rel_field.get_m2m_db_table(rel_opts)), + db.db.quote_name(self._meta.object_name.lower() + '_id')), [getattr(self, opts.pk.attname)]) for f in opts.many_to_many: - cursor.execute("DELETE FROM %s WHERE %s_id=%%s" % (f.get_m2m_db_table(opts), self._meta.object_name.lower()), + cursor.execute("DELETE FROM %s WHERE %s=%%s" % \ + (db.db.quote_name(f.get_m2m_db_table(opts)), + db.db.quote_name(self._meta.object_name.lower() + '_id')), [getattr(self, opts.pk.attname)]) - cursor.execute("DELETE FROM %s WHERE %s=%%s" % (opts.db_table, opts.pk.column), [getattr(self, opts.pk.attname)]) + cursor.execute("DELETE FROM %s WHERE %s=%%s" % \ + (db.db.quote_name(opts.db_table), db.db.quote_name(opts.pk.column)), + [getattr(self, opts.pk.attname)]) db.db.commit() setattr(self, opts.pk.attname, None) for f in opts.fields: @@ -854,16 +865,20 @@ def method_delete(opts, self): def method_get_next_in_order(opts, order_field, self): if not hasattr(self, '_next_in_order_cache'): self._next_in_order_cache = opts.get_model_module().get_object(order_by=('_order',), - where=['_order > (SELECT _order FROM %s WHERE %s=%%s)' % (opts.db_table, opts.pk.column), - '%s=%%s' % order_field.column], limit=1, + where=['%s > (SELECT %s FROM %s WHERE %s=%%s)' % \ + (db.db.quote_name('_order'), db.db.quote_name('_order'), + db.db.quote_name(opts.db_table), db.db.quote_name(opts.pk.column)), + '%s=%%s' % db.db.quote_name(order_field.column)], limit=1, params=[getattr(self, opts.pk.attname), getattr(self, order_field.attname)]) return self._next_in_order_cache def method_get_previous_in_order(opts, order_field, self): if not hasattr(self, '_previous_in_order_cache'): self._previous_in_order_cache = opts.get_model_module().get_object(order_by=('-_order',), - where=['_order < (SELECT _order FROM %s WHERE %s=%%s)' % (opts.db_table, opts.pk.column), - '%s=%%s' % order_field.column], limit=1, + where=['%s < (SELECT %s FROM %s WHERE %s=%%s)' % \ + (db.db.quote_name('_order'), db.db.quote_name('_order'), + db.db.quote_name(opts.db_table), db.db.quote_name(opts.pk.column)), + '%s=%%s' % db.db.quote_name(order_field.column)], limit=1, params=[getattr(self, opts.pk.attname), getattr(self, order_field.attname)]) return self._previous_in_order_cache @@ -888,10 +903,13 @@ def method_get_many_to_many(field_with_rel, self): cache_var = '_%s_cache' % field_with_rel.name if not hasattr(self, cache_var): mod = rel.get_model_module() - sql = "SELECT %s FROM %s a, %s b WHERE a.%s = b.%s_id AND b.%s_id = %%s %s" % \ - (','.join(['a.%s' % f.column for f in rel.fields]), rel.db_table, - field_with_rel.get_m2m_db_table(self._meta), rel.pk.column, - rel.object_name.lower(), self._meta.object_name.lower(), rel.get_order_sql('a')) + sql = "SELECT %s FROM %s a, %s b WHERE a.%s = b.%s AND b.%s = %%s %s" % \ + (','.join(['a.%s' % db.db.quote_name(f.column) for f in rel.fields]), + db.db.quote_name(rel.db_table), + db.db.quote_name(field_with_rel.get_m2m_db_table(self._meta)), + db.db.quote_name(rel.pk.column), + db.db.quote_name(rel.object_name.lower() + '_id'), + db.db.quote_name(self._meta.object_name.lower() + '_id'), rel.get_order_sql('a')) cursor = db.db.cursor() cursor.execute(sql, [getattr(self, self._meta.pk.attname)]) setattr(self, cache_var, [getattr(mod, rel.object_name)(*row) for row in cursor.fetchall()]) @@ -916,10 +934,16 @@ def method_set_many_to_many(rel_field, self, id_list): cursor = db.db.cursor() this_id = getattr(self, self._meta.pk.attname) if ids_to_delete: - sql = "DELETE FROM %s WHERE %s_id = %%s AND %s_id IN (%s)" % (m2m_table, self._meta.object_name.lower(), rel.object_name.lower(), ','.join(map(str, ids_to_delete))) + sql = "DELETE FROM %s WHERE %s = %%s AND %s IN (%s)" % \ + (db.db.quote_name(m2m_table), + db.db.quote_name(self._meta.object_name.lower() + '_id'), + db.db.quote_name(rel.object_name.lower() + '_id'), ','.join(map(str, ids_to_delete))) cursor.execute(sql, [this_id]) if ids_to_add: - sql = "INSERT INTO %s (%s_id, %s_id) VALUES (%%s, %%s)" % (m2m_table, self._meta.object_name.lower(), rel.object_name.lower()) + sql = "INSERT INTO %s (%s, %s) VALUES (%%s, %%s)" % \ + (db.db.quote_name(m2m_table), + db.db.quote_name(self._meta.object_name.lower() + '_id'), + db.db.quote_name(rel.object_name.lower() + '_id')) cursor.executemany(sql, [(this_id, i) for i in ids_to_add]) db.db.commit() try: @@ -965,8 +989,13 @@ def method_set_related_many_to_many(rel_opts, rel_field, self, id_list): m2m_table = rel_field.get_m2m_db_table(rel_opts) this_id = getattr(self, self._meta.pk.attname) cursor = db.db.cursor() - cursor.execute("DELETE FROM %s WHERE %s_id = %%s" % (m2m_table, rel.object_name.lower()), [this_id]) - sql = "INSERT INTO %s (%s_id, %s_id) VALUES (%%s, %%s)" % (m2m_table, rel.object_name.lower(), rel_opts.object_name.lower()) + cursor.execute("DELETE FROM %s WHERE %s = %%s" % \ + (db.db.quote_name(m2m_table), + db.db.quote_name(rel.object_name.lower() + '_id')), [this_id]) + sql = "INSERT INTO %s (%s, %s) VALUES (%%s, %%s)" % \ + (db.db.quote_name(m2m_table), + db.db.quote_name(rel.object_name.lower() + '_id'), + db.db.quote_name(rel_opts.object_name.lower() + '_id')) cursor.executemany(sql, [(this_id, i) for i in id_list]) db.db.commit() @@ -975,7 +1004,10 @@ def method_set_related_many_to_many(rel_opts, rel_field, self, id_list): def method_set_order(ordered_obj, self, id_list): cursor = db.db.cursor() # Example: "UPDATE poll_choices SET _order = %s WHERE poll_id = %s AND id = %s" - sql = "UPDATE %s SET _order = %%s WHERE %s = %%s AND %s = %%s" % (ordered_obj.db_table, ordered_obj.order_with_respect_to.column, ordered_obj.pk.column) + sql = "UPDATE %s SET %s = %%s WHERE %s = %%s AND %s = %%s" % \ + (db.db.quote_name(ordered_obj.db_table), db.db.quote_name('_order'), + db.db.quote_name(ordered_obj.order_with_respect_to.column), + db.db.quote_name(ordered_obj.pk.column)) rel_val = getattr(self, ordered_obj.order_with_respect_to.rel.field_name) cursor.executemany(sql, [(i, rel_val, j) for i, j in enumerate(id_list)]) db.db.commit() @@ -983,7 +1015,11 @@ def method_set_order(ordered_obj, self, id_list): def method_get_order(ordered_obj, self): cursor = db.db.cursor() # Example: "SELECT id FROM poll_choices WHERE poll_id = %s ORDER BY _order" - sql = "SELECT %s FROM %s WHERE %s = %%s ORDER BY _order" % (ordered_obj.pk.column, ordered_obj.db_table, ordered_obj.order_with_respect_to.column) + sql = "SELECT %s FROM %s WHERE %s = %%s ORDER BY %s" % \ + (db.db.quote_name(ordered_obj.pk.column), + db.db.quote_name(ordered_obj.db_table), + db.db.quote_name(ordered_obj.order_with_respect_to.column), + db.db.quote_name('_order')) rel_val = getattr(self, ordered_obj.order_with_respect_to.rel.field_name) cursor.execute(sql, [rel_val]) return [r[0] for r in cursor.fetchall()] @@ -993,7 +1029,8 @@ def method_get_order(ordered_obj, self): def method_get_next_or_previous(get_object_func, opts, field, is_next, self, **kwargs): op = is_next and '>' or '<' kwargs.setdefault('where', []).append('(%s %s %%s OR (%s = %%s AND %s %s %%s))' % \ - (field.column, op, field.column, opts.pk.column, op)) + (db.db.quote_name(field.column), op, db.db.quote_name(field.column), + db.db.quote_name(opts.pk.column), op)) param = str(getattr(self, field.attname)) kwargs.setdefault('params', []).extend([param, param, getattr(self, opts.pk.attname)]) kwargs['order_by'] = [(not is_next and '-' or '') + field.name, (not is_next and '-' or '') + opts.pk.name] @@ -1080,6 +1117,9 @@ def get_absolute_url(opts, func, self): return settings.ABSOLUTE_URL_OVERRIDES.get('%s.%s' % (opts.app_label, opts.module_name), func)(self) def _get_where_clause(lookup_type, table_prefix, field_name, value): + if table_prefix.endswith('.'): + table_prefix = db.db.quote_name(table_prefix[:-1])+'.' + field_name = db.db.quote_name(field_name) try: return '%s%s %s %%s' % (table_prefix, field_name, db.OPERATOR_MAPPING[lookup_type]) except KeyError: @@ -1160,7 +1200,7 @@ def function_get_values_iterator(opts, klass, **kwargs): cursor = db.db.cursor() _, sql, params = function_get_sql_clause(opts, **kwargs) - select = ['%s.%s' % (opts.db_table, f) for f in fields] + select = ['%s.%s' % (db.db.quote_name(opts.db_table), db.db.quote_name(f)) for f in fields] cursor.execute("SELECT " + (kwargs.get('distinct') and "DISTINCT " or "") + ",".join(select) + sql, params) while 1: rows = cursor.fetchmany(GET_ITERATOR_CHUNK_SIZE) @@ -1181,14 +1221,16 @@ def _fill_table_cache(opts, select, tables, where, old_prefix, cache_tables_seen if f.rel and not f.null: db_table = f.rel.to.db_table if db_table not in cache_tables_seen: - tables.append(db_table) + tables.append(db.db.quote_name(db_table)) else: # The table was already seen, so give it a table alias. new_prefix = '%s%s' % (db_table, len(cache_tables_seen)) - tables.append('%s %s' % (db_table, new_prefix)) + tables.append('%s %s' % (db.db.quote_name(db_table), db.db.quote_name(new_prefix))) db_table = new_prefix cache_tables_seen.append(db_table) - where.append('%s.%s = %s.%s' % (old_prefix, f.column, db_table, f.rel.get_related_field().column)) - select.extend(['%s.%s' % (db_table, f2.column) for f2 in f.rel.to.fields]) + where.append('%s.%s = %s.%s' % \ + (db.db.quote_name(old_prefix), db.db.quote_name(f.column), + db.db.quote_name(db_table), db.db.quote_name(f.rel.get_related_field().column))) + select.extend(['%s.%s' % (db.db.quote_name(db_table), db.db.quote_name(f2.column)) for f2 in f.rel.to.fields]) _fill_table_cache(f.rel.to, select, tables, where, db_table, cache_tables_seen) def _throw_bad_kwarg_error(kwarg): @@ -1247,11 +1289,15 @@ def _parse_lookup(kwarg_items, opts, table_count=0): # Try many-to-many relationships first... for f in current_opts.many_to_many: if f.name == current: - rel_table_alias = 't%s' % table_count + rel_table_alias = db.db.quote_name('t%s' % table_count) table_count += 1 - tables.append('%s %s' % (f.get_m2m_db_table(current_opts), rel_table_alias)) - join_where.append('%s.%s = %s.%s_id' % (current_table_alias, current_opts.pk.column, - rel_table_alias, current_opts.object_name.lower())) + tables.append('%s %s' % \ + (db.db.quote_name(f.get_m2m_db_table(current_opts)), rel_table_alias)) + join_where.append('%s.%s = %s.%s' % \ + (db.db.quote_name(current_table_alias), + db.db.quote_name(current_opts.pk.column), + rel_table_alias, + db.db.quote_name(current_opts.object_name.lower() + '_id'))) # Optimization: In the case of primary-key lookups, we # don't have to do an extra join. if lookup_list and lookup_list[0] == f.rel.to.pk.name and lookup_type == 'exact': @@ -1262,9 +1308,13 @@ def _parse_lookup(kwarg_items, opts, table_count=0): param_required = False else: new_table_alias = 't%s' % table_count - tables.append('%s %s' % (f.rel.to.db_table, new_table_alias)) - join_where.append('%s.%s_id = %s.%s' % (rel_table_alias, f.rel.to.object_name.lower(), - new_table_alias, f.rel.to.pk.column)) + tables.append('%s %s' % (db.db.quote_name(f.rel.to.db_table), + db.db.quote_name(new_table_alias))) + join_where.append('%s.%s = %s.%s' % \ + (db.db.quote_name(rel_table_alias), + db.db.quote_name(f.rel.to.object_name.lower() + '_id'), + db.db.quote_name(new_table_alias), + db.db.quote_name(f.rel.to.pk.column))) current_table_alias = new_table_alias param_required = True current_opts = f.rel.to @@ -1287,9 +1337,11 @@ def _parse_lookup(kwarg_items, opts, table_count=0): params.extend(f.get_db_prep_lookup(lookup_type, kwarg_value)) else: new_table_alias = 't%s' % table_count - tables.append('%s %s' % (f.rel.to.db_table, new_table_alias)) - join_where.append('%s.%s = %s.%s' % (current_table_alias, f.column, \ - new_table_alias, f.rel.to.pk.column)) + tables.append('%s %s' % \ + (db.db.quote_name(f.rel.to.db_table), db.db.quote_name(new_table_alias))) + join_where.append('%s.%s = %s.%s' % \ + (db.db.quote_name(current_table_alias), db.db.quote_name(f.column), + db.db.quote_name(new_table_alias), db.db.quote_name(f.rel.to.pk.column))) current_table_alias = new_table_alias param_required = True current_opts = f.rel.to @@ -1308,8 +1360,9 @@ def _parse_lookup(kwarg_items, opts, table_count=0): return tables, join_where, where, params, table_count def function_get_sql_clause(opts, **kwargs): - select = ["%s.%s" % (opts.db_table, f.column) for f in opts.fields] + select = ["%s.%s" % (db.db.quote_name(opts.db_table), db.db.quote_name(f.column)) for f in opts.fields] tables = [opts.db_table] + (kwargs.get('tables') and kwargs['tables'][:] or []) + tables = [db.db.quote_name(t) for t in tables] where = kwargs.get('where') and kwargs['where'][:] or [] params = kwargs.get('params') and kwargs['params'][:] or [] @@ -1328,7 +1381,7 @@ def function_get_sql_clause(opts, **kwargs): # Add any additional SELECTs passed in via kwargs. if kwargs.get('select'): - select.extend(['(%s) AS %s' % (s[1], s[0]) for s in kwargs['select']]) + select.extend(['(%s) AS %s' % (db.db.quote_name(s[1]), db.db.quote_name(s[0])) for s in kwargs['select']]) # ORDER BY clause order_by = [] @@ -1342,13 +1395,17 @@ def function_get_sql_clause(opts, **kwargs): else: col_name = f order = "ASC" - # Use the database table as a column prefix if it wasn't given, - # and if the requested column isn't a custom SELECT. - if "." not in col_name and col_name not in [k[0] for k in kwargs.get('select', [])]: - table_prefix = opts.db_table + '.' + if "." in col_name: + table_prefix, col_name = col_name.split('.', 1) + table_prefix = db.db.quote_name(table_prefix) + '.' else: - table_prefix = '' - order_by.append('%s%s %s' % (table_prefix, orderfield2column(col_name, opts), order)) + # Use the database table as a column prefix if it wasn't given, + # and if the requested column isn't a custom SELECT. + if "." not in col_name and col_name not in [k[0] for k in kwargs.get('select', [])]: + table_prefix = db.db.quote_name(opts.db_table) + '.' + else: + table_prefix = '' + order_by.append('%s%s %s' % (table_prefix, db.db.quote_name(orderfield2column(col_name, opts)), order)) order_by = ", ".join(order_by) # LIMIT and OFFSET clauses @@ -1363,7 +1420,7 @@ def function_get_sql_clause(opts, **kwargs): def function_get_in_bulk(opts, klass, *args, **kwargs): id_list = args and args[0] or kwargs['id_list'] assert id_list != [], "get_in_bulk() cannot be passed an empty list." - kwargs['where'] = ["%s.%s IN (%s)" % (opts.db_table, opts.pk.column, ",".join(['%s'] * len(id_list)))] + kwargs['where'] = ["%s.%s IN (%s)" % (db.db.quote_name(opts.db_table), db.db.quote_name(opts.pk.column), ",".join(['%s'] * len(id_list)))] kwargs['params'] = id_list obj_list = function_get_list(opts, klass, **kwargs) return dict([(getattr(o, opts.pk.attname), o) for o in obj_list]) @@ -1384,9 +1441,10 @@ def function_get_date_list(opts, field, *args, **kwargs): assert order in ('ASC', 'DESC'), "'order' must be either 'ASC' or 'DESC'" kwargs['order_by'] = [] # Clear this because it'll mess things up otherwise. if field.null: - kwargs.setdefault('where', []).append('%s.%s IS NOT NULL' % (opts.db_table, field.column)) + kwargs.setdefault('where', []).append('%s.%s IS NOT NULL' % \ + (db.db.quote_name(opts.db_table), db.db.quote_name(field.column))) select, sql, params = function_get_sql_clause(opts, **kwargs) - sql = 'SELECT %s %s GROUP BY 1 ORDER BY 1' % (db.get_date_trunc_sql(kind, '%s.%s' % (opts.db_table, field.column)), sql) + sql = 'SELECT %s %s GROUP BY 1 ORDER BY 1' % (db.get_date_trunc_sql(kind, '%s.%s' % (db.db.quote_name(opts.db_table), db.db.quote_name(field.column))), sql) cursor = db.db.cursor() cursor.execute(sql, params) # We have to manually run typecast_timestamp(str()) on the results, because |