[1.6.x] Fixed queries that may return unexpected results on MySQL due to typecasting.

This is a security fix. Disclosure will follow shortly. Backport of 75c0d4ea3a from master
2025-10-26 07:06:08 +00:00 · 2014-04-20 16:28:01 -04:00
parent d63e20942f
commit 5f0829a27e
6 changed files with 157 additions and 2 deletions
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -1132,6 +1132,16 @@ of the arguments is required, but you should use at least one of them.

      Entry.objects.extra(where=['headline=%s'], params=['Lennon'])

+.. warning::
+
+    If you are performing queries on MySQL, note that MySQL's silent type coercion
+    may cause unexpected results when mixing types. If you query on a string
+    type column, but with an integer value, MySQL will coerce the types of all values
+    in the table to an integer before performing the comparison. For example, if your
+    table contains the values ``'abc'``, ``'def'`` and you query for ``WHERE mycolumn=0``,
+    both rows will match. To prevent this, perform the correct typecasting
+    before using the value in a query.
+
 defer
 ~~~~~