summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorMoayad Mardini <moayad.m@gmail.com>2014-04-24 21:10:03 +0300
committerTim Graham <timograham@gmail.com>2014-04-25 09:56:39 -0400
commit2b0e9aa57d4c5b5dbad7d300b4e383d384941034 (patch)
treee97a4d709c76036806a32cc18bb537e64c471809 /docs/ref
parent42659ceb3f635b9eb640c0c7168e02fc71fabd05 (diff)
[1.6.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
Thanks Erik Romijn for the suggestion. Backport of 3776926cfe503f16c7195621da20c5b89bda70a2 from master
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/models/querysets.txt7
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt
index 30b58a6343..dbca6b5806 100644
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -975,6 +975,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
generated by a ``QuerySet``.
+.. warning::
+
+ You should be very careful whenever you use ``extra()``. Every time you use
+ it, you should escape any parameters that the user can control by using
+ ``params`` in order to protect against SQL injection attacks . Please
+ read more about :ref:`SQL injection protection <sql-injection-protection>`.
+
By definition, these extra lookups may not be portable to different database
engines (because you're explicitly writing SQL code) and violate the DRY
principle, so you should avoid them if possible.