no such function: MONTH about ralph HOT 6 CLOSED

Thanks for your feedback. Currently the CMDB module works only on the MySQL backend, as described in http://ralph.allegrogroup.com/doc/cmdb.html#installation. We're planning to enable this feature for SQLite and PostgreSQL in a later version. Patches welcome :)

from ralph.

There is a raw SQL query in this file. i don't know how it managed to pass the code review, however, if you stick to standard django querysetting, you're good to go.

therefore, instead of:

MONTH(ch.time)=%s

use

from ralph.cmdb.models import CI

then query for the data:

now = datetime.now()
objects = CI.objects.filter( ... )
.filter(time__month = month).filter(time__month = now.year)

and agregate ( https://docs.djangoproject.com/en/dev/topics/db/aggregation/ )

unless you validate the type / kwargs['type'] argument which is defined as \w+ in urls.py, this query is vunerable for SQL injection.

from ralph.

The raw query is not pretty, and we will eventually replace it with something more integrated with the ORM (it's a little bit trickier than it looks), but you are mistaken about it being vulnerable to SQL injection, as cursor.execute() escapes the values that are passed into it, so don't panic.

from ralph.

indeed, i was mistaken by %s in the query and i automatically assumed there was % [params] somwhere further.

i noticed that you also use sqlalchemy, so even if django itself doesn't cut it for you, you can use sqlalchemy wrapper for django's models and do

model.sa.query()

and so on.

from ralph.

We will certainly get to that and come up with a solution that works on all supported database backends.

from ralph.

I'm closing this issue - there was no activity here for long enough and AFAIK, we are not going for db backends other than MySQL in the nearest future.

from ralph.