diff options
| author | Moayad Mardini <moayad.m@gmail.com> | 2014-04-24 21:10:03 +0300 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-04-25 09:54:49 -0400 |
| commit | 3776926cfe503f16c7195621da20c5b89bda70a2 (patch) | |
| tree | 8a7770071effc92bad3a99aeb43c3e8fe9f48d9d /docs/ref | |
| parent | 9e7f86b890a71bcc86ec7bcd9ee0c05801b5e807 (diff) | |
Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
Thanks Erik Romijn for the suggestion.
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/models/querysets.txt | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt index 91e757ea50..84b0441026 100644 --- a/docs/ref/models/querysets.txt +++ b/docs/ref/models/querysets.txt @@ -1033,6 +1033,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL generated by a ``QuerySet``. +.. warning:: + + You should be very careful whenever you use ``extra()``. Every time you use + it, you should escape any parameters that the user can control by using + ``params`` in order to protect against SQL injection attacks . Please + read more about :ref:`SQL injection protection <sql-injection-protection>`. + By definition, these extra lookups may not be portable to different database engines (because you're explicitly writing SQL code) and violate the DRY principle, so you should avoid them if possible. @@ -1402,7 +1409,7 @@ Takes a raw SQL query, executes it, and returns a ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance can be iterated over just like an normal ``QuerySet`` to provide object instances. -See the :ref:`executing-raw-queries` for more information. +See the :doc:`/topics/db/sql` for more information. .. warning:: |
