1
0
mirror of https://github.com/django/django.git synced 2024-12-24 01:55:49 +00:00

[1.7.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe from master
This commit is contained in:
Moayad Mardini 2014-04-24 21:10:03 +03:00 committed by Tim Graham
parent 658710be00
commit ae15356061
3 changed files with 17 additions and 1 deletions

View File

@ -1046,6 +1046,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
generated by a ``QuerySet``.
.. warning::
You should be very careful whenever you use ``extra()``. Every time you use
it, you should escape any parameters that the user can control by using
``params`` in order to protect against SQL injection attacks . Please
read more about :ref:`SQL injection protection <sql-injection-protection>`.
By definition, these extra lookups may not be portable to different database
engines (because you're explicitly writing SQL code) and violate the DRY
principle, so you should avoid them if possible.
@ -1415,7 +1422,7 @@ Takes a raw SQL query, executes it, and returns a
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
can be iterated over just like an normal ``QuerySet`` to provide object instances.
See the :ref:`executing-raw-queries` for more information.
See the :doc:`/topics/db/sql` for more information.
.. warning::

View File

@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and
__ `performing raw queries`_
__ `executing custom SQL directly`_
.. warning::
You should be very careful whenever you write raw SQL. Every time you use
it, you should properly escape any parameters that the user can control
by using ``params`` in order to protect against SQL injection attacks.
Please read more about :ref:`SQL injection protection
<sql-injection-protection>`.
.. _executing-raw-queries:
Performing raw queries

View File

@ -79,6 +79,7 @@ HSTS for supported browsers.
Be very careful with marking views with the ``csrf_exempt`` decorator unless
it is absolutely necessary.
.. _sql-injection-protection:
SQL injection protection
========================