Really the root of the problem is poor database design going back to long before I started here, but that problem isn't going to be resolved by the end of the day or even the end of the week. Thus, I need to find a better way to handle the following to get a feature added.
I'm forced to deviate away from the Django ORM because I need to build a raw SQL query due to having to write logic around the FROM <table>. We've elected to go this route instead of updating the models.py a couple times a year with the new tables that are added.
There are numerous areas starting here where the Django documentation says "Do not use string formatting on raw queries or quote placeholders in your SQL strings!"
If I write the query like this:
cursor.execute("""
SELECT * \
FROM agg_data_%s \
WHERE dataview = %s \
ORDER BY sortorder """, [tbl, data_view])
It adds single quotes around tbl, which obviously causes an issue, but will correctly construct the WHERE clause surrounded in single quotes.
Doing this, will not put single quotes around tbl, but will force you to put single quotes around the WHERE which is bad to say the least (opens it up for SQL injection):
sql = """ \
SELECT * \
FROM agg_data_%s \
WHERE dataview = '%s' \
ORDER BY sortorder """ % (tbl, data_view)
cursor.execute(sql)
Anyway to make lemonade out of these lemons?
