diff --git a/content/developer/reference/backend/orm.rst b/content/developer/reference/backend/orm.rst index e1f68c356..af40454ca 100644 --- a/content/developer/reference/backend/orm.rst +++ b/content/developer/reference/backend/orm.rst @@ -726,6 +726,13 @@ joins) or for performance reasons:: Please make sure your queries are sanitized when using user input and prefer using ORM utilities if you don't really need to use SQL queries. +The recommended way to build SQL queries is to use the wrapper object + +.. autoclass:: odoo.tools.SQL + + .. automethod:: SQL.join + .. automethod:: SQL.identifier + One important thing to know about models is that they don't necessarily perform database updates right away. Indeed, for performance reasons, the framework delays the recomputation of fields after modifying records. And some database @@ -740,7 +747,7 @@ called *flushing* and performs the expected database updates. # make sure that 'partner_id' is up-to-date in database self.env['model'].flush_model(['partner_id']) - self.env.cr.execute("SELECT id FROM model WHERE partner_id IN %s", [ids]) + self.env.cr.execute(SQL("SELECT id FROM model WHERE partner_id IN %s", ids)) ids = [row[0] for row in self.env.cr.fetchall()] Before every SQL query, one has to flush the data needed for that query. There diff --git a/content/developer/reference/backend/orm/changelog.rst b/content/developer/reference/backend/orm/changelog.rst index 85842ea22..66ebd3b55 100644 --- a/content/developer/reference/backend/orm/changelog.rst +++ b/content/developer/reference/backend/orm/changelog.rst @@ -4,17 +4,24 @@ Changelog ========= +Odoo version 17.0 +================= + +- Introduce an :class:`~odoo.tools.SQL` wrapper object to make SQL composition + easier and safer with respect to SQL injections. Methods of the ORM now use it + internally. Introduced by `#134677 `_. + Odoo Online version 16.4 ======================== -- `odoo.models.Model.name_get` has been deprecated with +- Method :meth:`~odoo.models.Model.name_get` has been deprecated with `#122085 `_. - Read `display_name` instead. + Read field `display_name` instead. Odoo Online version 16.3 ======================== -- `odoo.models.Model._read_group` has a new signature with +- Method :meth:`~odoo.models.Model._read_group` has a new signature with `#110737 `_ Odoo Online version 16.2 @@ -22,9 +29,9 @@ Odoo Online version 16.2 - Refactor the implementation of searching and reading methods to be able to combine both in a minimal number of SQL queries. We introduce two new methods - `odoo.models.Model.search_fetch` and `odoo.models.Model.fetch` that take - advantage of the combination. More details can be found on the pull request - `#112126 `_. + :meth:`~odoo.models.Model.search_fetch` and :meth:`~odoo.models.Model.fetch` + that take advantage of the combination. More details can be found on the pull + request `#112126 `_. Odoo version 16.0 =================