mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-26 15:16:09 +00:00
Code Issues 32 Releases Wiki Activity

[2.0.x] Fixed #28770 -- Warned that quoting a placeholder in a raw SQL string is unsafe.

Browse Source 
Thanks Hynek Cernoch for the report and review.

Backport of 327f0f37ce from master
This commit is contained in:
Tim Graham
2017-11-07 13:07:12 -05:00
parent 518c11352c
commit c869207ea2
3 changed files with 38 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/ref/models/expressions.txt
View File

@@ -660,11 +660,19 @@ should avoid them if possible.
.. warning::
You should be very careful to escape any parameters that the user can
control by using ``params`` in order to protect against :ref:`SQL injection
attacks <sql-injection-protection>`. ``params`` is a required argument to
force you to acknowledge that you're not interpolating your SQL with user
provided data.
To protect against `SQL injection attacks
<https://en.wikipedia.org/wiki/SQL_injection>`_, you must escape any
parameters that the user can control by using ``params``. ``params`` is a
required argument to force you to acknowledge that you're not interpolating
your SQL with user-provided data.
You also must not quote placeholders in the SQL string. This example is
vulnerable to SQL injection because of the quotes around ``%s``::
RawSQL("select col from sometable where othercol = '%s'") # unsafe!
You can read more about how Django's :ref:`SQL injection protection
<sql-injection-protection>` works.
Window functions
----------------

11
docs/ref/models/querysets.txt
View File

@@ -1284,8 +1284,15 @@ generated by a ``QuerySet``.
You should be very careful whenever you use ``extra()``. Every time you use
it, you should escape any parameters that the user can control by using
``params`` in order to protect against SQL injection attacks . Please
read more about :ref:`SQL injection protection <sql-injection-protection>`.
``params`` in order to protect against SQL injection attacks.
You also must not quote placeholders in the SQL string. This example is
vulnerable to SQL injection because of the quotes around ``%s``::
"select col from sometable where othercol = '%s'" # unsafe!
You can read more about how Django's :ref:`SQL injection protection
<sql-injection-protection>` works.
By definition, these extra lookups may not be portable to different database
engines (because you're explicitly writing SQL code) and violate the DRY