mirror of
				https://github.com/django/django.git
				synced 2025-10-26 07:06:08 +00:00 
			
		
		
		
	[1.5.x] Fixed queries that may return unexpected results on MySQL due to typecasting.
This is a security fix. Disclosure will follow shortly.
Backport of 75c0d4ea3a from master
			
			
This commit is contained in:
		| @@ -501,6 +501,16 @@ For example:: | ||||
|             return ''.join([''.join(l) for l in (value.north, | ||||
|                     value.east, value.south, value.west)]) | ||||
|  | ||||
| .. warning:: | ||||
|  | ||||
|     If your custom field uses the ``CHAR``, ``VARCHAR`` or ``TEXT`` | ||||
|     types for MySQL, you must make sure that :meth:`.get_prep_value` | ||||
|     always returns a string type. MySQL performs flexible and unexpected | ||||
|     matching when a query is performed on these types and the provided | ||||
|     value is an integer, which can cause queries to include unexpected | ||||
|     objects in their results. This problem cannot occur if you always | ||||
|     return a string type from :meth:`.get_prep_value`. | ||||
|  | ||||
| Converting query values to database values | ||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||
|  | ||||
|   | ||||
		Reference in New Issue
	
	Block a user