Django gives you two ways of performing raw SQL queries: you can useManager.raw()
to perform raw queries and return model instances, oryou can avoid the model layer entirely and execute custom SQL directly.
Browse our selection of Smart Signal Boosters that solve poor cellular coverage issues for a wide variety of markets. The Cel-Fi product line is the best solution on the market! At a frequency of 1 kHz, 1 phon is defined to be equal to 1 dB of sound pressure level above the nominal threshold of hearing, the sound pressure level SPL of 20 µPa (micropascals) = 2×10 −5 pascal (Pa). Our ears as sensors cannot convert sound intensities and powers, they can only use the sound pressure changes between 20 Hz and 20,000 Hz. Recorded at: Colgate Mansion in Sharon, Connecticut, United States. Recording of: Rip It Out. Writer: Ace Frehley, Larry Kelly ( vocalist, member of Ace Frehley's pre-KISS bands, co-writer of 'Rip It Out') and Sue Kelly.
Explore the ORM before using raw SQL!
The Django ORM provides many tools to express queries without writing rawSQL. For example:
- The QuerySet API is extensive.
- You can
annotate
and aggregate using many built-in database functions. Beyond those, you can createcustom query expressions.
Before using raw SQL, explore the ORM. Ask onone of the support channels to see if the ORM supportsyour use case.
Warning
You should be very careful whenever you write raw SQL. Every time you useit, you should properly escape any parameters that the user can controlby using params
in order to protect against SQL injection attacks.Please read more about SQL injection protection.
Performing raw queries¶
The raw()
manager method can be used to perform raw SQL queries thatreturn model instances:
Manager.
raw
(raw_query, params=(), translations=None)¶
This method takes a raw SQL query, executes it, and returns adjango.db.models.query.RawQuerySet
instance. This RawQuerySet
instancecan be iterated over like a normal QuerySet
toprovide object instances.
This is best illustrated with an example. Suppose you have the following model:
You could then execute custom SQL like so:
This example isn't very exciting – it's exactly the same as runningPerson.objects.all()
. However, raw()
has a bunch of other options thatmake it very powerful.
Model table names
Where did the name of the Person
table come from in that example?
By default, Django figures out a database table name by joining themodel's 'app label' – the name you used in manage.pystartapp
– tothe model's class name, with an underscore between them. In the examplewe've assumed that the Person
model lives in an app named myapp
,so its table would be myapp_person
.
For more details check out the documentation for thedb_table
option, which also lets you manually set thedatabase table name.
Warning
No checking is done on the SQL statement that is passed in to .raw()
.Django expects that the statement will return a set of rows from thedatabase, but does nothing to enforce that. If the query does notreturn rows, a (possibly cryptic) error will result.
Warning
If you are performing queries on MySQL, note that MySQL's silent type coercionmay cause unexpected results when mixing types. If you query on a stringtype column, but with an integer value, MySQL will coerce the types of all valuesin the table to an integer before performing the comparison. For example, if yourtable contains the values 'abc'
, 'def'
and you query for WHEREmycolumn=0
,both rows will match. To prevent this, perform the correct typecastingbefore using the value in a query.
The default value of the params
argument was changed from None
toan empty tuple.
Mapping query fields to model fields¶
raw()
automatically maps fields in the query to fields on the model.
The order of fields in your query doesn't matter. In other words, bothof the following queries work identically:
Matching is done by name. This means that you can use SQL's AS
clauses tomap fields in the query to model fields. So if you had some other table thathad Person
data in it, you could easily map it into Person
instances:
As long as the names match, the model instances will be created correctly.
Alternatively, you can map fields in the query to model fields using thetranslations
argument to raw()
. This is a dictionary mapping names offields in the query to names of fields on the model. For example, the abovequery could also be written:
Index lookups¶
Db Solo 5 2 3 Images
raw()
supports indexing, so if you need only the first result you canwrite:
However, the indexing and slicing are not performed at the database level. Ifyou have a large number of Person
objects in your database, it is moreefficient to limit the query at the SQL level:
Deferring model fields¶
Fields may also be left out:
The Person
objects returned by this query will be deferred model instances(see defer()
). This means that thefields that are omitted from the query will be loaded on demand. For example:
From outward appearances, this looks like the query has retrieved boththe first name and last name. However, this example actually issued 3queries. Only the first names were retrieved by the raw() query – thelast names were both retrieved on demand when they were printed.
There is only one field that you can't leave out - the primary keyfield. Django uses the primary key to identify model instances, so itmust always be included in a raw query. AFieldDoesNotExist
exception will be raised ifyou forget to include the primary key.
Adding annotations¶
Db Solo 5 2 360
You can also execute queries containing fields that aren't defined on themodel. For example, we could use PostgreSQL's age() function to get a listof people with their ages calculated by the database:
You can often avoid using raw SQL to compute annotations by instead using aFunc() expression.
Passing parameters into raw()
¶
If you need to perform parameterized queries, you can use the params
argument to raw()
: Boxy svg 3 22 7.
params
is a list or dictionary of parameters. You'll use %s
placeholders in the query string for a list, or %(key)s
placeholders for a dictionary (where key
is replaced by adictionary key), regardless of your database engine. Such placeholders will bereplaced with parameters from the params
argument.
Note
Dictionary params are not supported with the SQLite backend; withthis backend, you must pass parameters as a list.
Warning
Do not use string formatting on raw queries or quote placeholders in yourSQL strings!
It's tempting to write the above query as:
You might also think you should write your query like this (with quotesaround %s
):
Don't make either of these mistakes.
As discussed in SQL injection protection, using the params
argument and leaving the placeholders unquoted protects you from SQLinjection attacks, a common exploit where attackers inject arbitrarySQL into your database. If you use string interpolation or quote theplaceholder, you're at risk for SQL injection.
Executing custom SQL directly¶
Sometimes even Manager.raw()
isn't quite enough: you might need toperform queries that don't map cleanly to models, or directly executeUPDATE
, INSERT
, or DELETE
queries.
In these cases, you can always access the database directly, routing aroundthe model layer entirely.
The object django.db.connection
represents the default databaseconnection. To use the database connection, call connection.cursor()
toget a cursor object. Then, call cursor.execute(sql,[params])
to executethe SQL and cursor.fetchone()
or cursor.fetchall()
to return theresulting rows.
For example:
To protect against SQL injection, you must not include quotes around the %s
placeholders in the SQL string.
Note that if you want to include literal percent signs in the query, you have todouble them in the case you are passing parameters:
If you are using more than one database, you canuse django.db.connections
to obtain the connection (and cursor) for aspecific database. django.db.connections
is a dictionary-likeobject that allows you to retrieve a specific connection using itsalias:
By default, the Python DB API will return results without their field names,which means you end up with a list
of values, rather than a dict
. At asmall performance and memory cost, you can return results as a dict
byusing something like this:
Another option is to use collections.namedtuple()
from the Pythonstandard library. A namedtuple
is a tuple-like object that has fieldsaccessible by attribute lookup; it's also indexable and iterable. Results areimmutable and accessible by field names or indices, which might be useful:
Here is an example of the difference between the three:
Connections and cursors¶
connection
and cursor
mostly implement the standard Python DB-APIdescribed in PEP 249 — except when it comes to transaction handling.
If you're not familiar with the Python DB-API, note that the SQL statement incursor.execute()
uses placeholders, '%s'
, rather than addingparameters directly within the SQL. If you use this technique, the underlyingdatabase library will automatically escape your parameters as necessary.
Also note that Django expects the '%s'
placeholder, not the '?'
placeholder, which is used by the SQLite Python bindings. This is for the sakeof consistency and sanity.
Using a cursor as a context manager:
is equivalent to:
Calling stored procedures¶
CursorWrapper.
callproc
(procname, params=None, kparams=None)¶Calls a database stored procedure with the given name. A sequence(params
) or dictionary (kparams
) of input parameters may beprovided. Most databases don't support kparams
. Of Django's built-inbackends, only Oracle supports it.
For example, given this stored procedure in an Oracle database:
This will call it: