Skip to content

D
django
Kaydet (Commit) ae153560 authored tarafından Moayad Mardini's avatar Moayad Mardini Kaydeden (comit) Tim Graham
Dosyalara gözat
Seçenekler

[1.7.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection 

Thanks Erik Romijn for the suggestion.

Backport of 3776926c from master
üst 658710be
Hide whitespace changes
Inline Side-by-side
Showing with 17 additions and 1 deletion
docs/ref/models/querysets.txt
Dosyayı görüntüle @ ae153560
...@@ -1046,6 +1046,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex ...@@ -1046,6 +1046,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
generated by a ``QuerySet``. generated by a ``QuerySet``.
.. warning::
You should be very careful whenever you use ``extra()``. Every time you use
it, you should escape any parameters that the user can control by using
``params`` in order to protect against SQL injection attacks . Please
read more about :ref:`SQL injection protection <sql-injection-protection>`.
By definition, these extra lookups may not be portable to different database By definition, these extra lookups may not be portable to different database
engines (because you're explicitly writing SQL code) and violate the DRY engines (because you're explicitly writing SQL code) and violate the DRY
principle, so you should avoid them if possible. principle, so you should avoid them if possible.
...@@ -1415,7 +1422,7 @@ Takes a raw SQL query, executes it, and returns a ...@@ -1415,7 +1422,7 @@ Takes a raw SQL query, executes it, and returns a
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
can be iterated over just like an normal ``QuerySet`` to provide object instances. can be iterated over just like an normal ``QuerySet`` to provide object instances.
See the :ref:`executing-raw-queries` for more information. See the :doc:`/topics/db/sql` for more information.
.. warning:: .. warning::
......
docs/topics/db/sql.txt
Dosyayı görüntüle @ ae153560
...@@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and ...@@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and
__ `performing raw queries`_ __ `performing raw queries`_
__ `executing custom SQL directly`_ __ `executing custom SQL directly`_
.. warning::
You should be very careful whenever you write raw SQL. Every time you use
it, you should properly escape any parameters that the user can control
by using ``params`` in order to protect against SQL injection attacks.
Please read more about :ref:`SQL injection protection
<sql-injection-protection>`.
.. _executing-raw-queries: .. _executing-raw-queries:
Performing raw queries Performing raw queries
......
docs/topics/security.txt
Dosyayı görüntüle @ ae153560
...@@ -79,6 +79,7 @@ HSTS for supported browsers. ...@@ -79,6 +79,7 @@ HSTS for supported browsers.
Be very careful with marking views with the ``csrf_exempt`` decorator unless Be very careful with marking views with the ``csrf_exempt`` decorator unless
it is absolutely necessary. it is absolutely necessary.
.. _sql-injection-protection:
SQL injection protection SQL injection protection
======================== ========================
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment