[IMP] core: add SQL wrapper

rco-odoo · rco-odoo · commit 2662fa5437d8 · 2023-11-30T07:37:10.000Z
This completes odoo/odoo#134677. closes #6674 Signed-off-by: Raphael Collet <rco@odoo.com>
diff --git a/content/developer/reference/backend/orm.rst b/content/developer/reference/backend/orm.rst
@@ -726,6 +726,13 @@ joins) or for performance reasons::
     Please make sure your queries are sanitized when using user input and prefer using
     ORM utilities if you don't really need to use SQL queries.
 
+The recommended way to build SQL queries is to use the wrapper object
+
+.. autoclass:: odoo.tools.SQL
+
+    .. automethod:: SQL.join
+    .. automethod:: SQL.identifier
+
 One important thing to know about models is that they don't necessarily perform
 database updates right away. Indeed, for performance reasons, the framework
 delays the recomputation of fields after modifying records. And some database
@@ -740,7 +747,7 @@ called *flushing* and performs the expected database updates.
         # make sure that 'partner_id' is up-to-date in database
         self.env['model'].flush_model(['partner_id'])
 
-        self.env.cr.execute("SELECT id FROM model WHERE partner_id IN %s", [ids])
+        self.env.cr.execute(SQL("SELECT id FROM model WHERE partner_id IN %s", ids))
         ids = [row[0] for row in self.env.cr.fetchall()]
 
 Before every SQL query, one has to flush the data needed for that query. There
diff --git a/content/developer/reference/backend/orm/changelog.rst b/content/developer/reference/backend/orm/changelog.rst
@@ -4,27 +4,34 @@
 Changelog
 =========
 
+Odoo version 17.0
+=================
+
+- Introduce an :class:`~odoo.tools.SQL` wrapper object to make SQL composition
+  easier and safer with respect to SQL injections. Methods of the ORM now use it
+  internally. Introduced by `#134677 <https://github.com/odoo/odoo/pull/134677>`_.
+
 Odoo Online version 16.4
 ========================
 
-- `odoo.models.Model.name_get` has been deprecated with
+- Method :meth:`~odoo.models.Model.name_get` has been deprecated with
   `#122085 <https://github.com/odoo/odoo/pull/122085>`_.
-  Read `display_name` instead.
+  Read field `display_name` instead.
 
 Odoo Online version 16.3
 ========================
 
-- `odoo.models.Model._read_group` has a new signature with
+- Method :meth:`~odoo.models.Model._read_group` has a new signature with
   `#110737 <https://github.com/odoo/odoo/pull/110737>`_
 
 Odoo Online version 16.2
 ========================
 
 - Refactor the implementation of searching and reading methods to be able to
   combine both in a minimal number of SQL queries. We introduce two new methods
-  `odoo.models.Model.search_fetch` and `odoo.models.Model.fetch` that take
-  advantage of the combination. More details can be found on the pull request
-  `#112126 <https://github.com/odoo/odoo/pull/112126>`_.
+  :meth:`~odoo.models.Model.search_fetch` and :meth:`~odoo.models.Model.fetch`
+  that take advantage of the combination. More details can be found on the pull
+  request `#112126 <https://github.com/odoo/odoo/pull/112126>`_.
 
 Odoo version 16.0
 =================
