summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMoayad Mardini <moayad.m@gmail.com>2014-04-24 21:10:03 +0300
committerTim Graham <timograham@gmail.com>2014-04-25 09:54:49 -0400
commit3776926cfe503f16c7195621da20c5b89bda70a2 (patch)
tree8a7770071effc92bad3a99aeb43c3e8fe9f48d9d /docs
parent9e7f86b890a71bcc86ec7bcd9ee0c05801b5e807 (diff)
Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
Thanks Erik Romijn for the suggestion.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/models/querysets.txt9
-rw-r--r--docs/topics/db/sql.txt8
-rw-r--r--docs/topics/security.txt1
3 files changed, 17 insertions, 1 deletions
diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt
index 91e757ea50..84b0441026 100644
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -1033,6 +1033,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
generated by a ``QuerySet``.
+.. warning::
+
+ You should be very careful whenever you use ``extra()``. Every time you use
+ it, you should escape any parameters that the user can control by using
+ ``params`` in order to protect against SQL injection attacks . Please
+ read more about :ref:`SQL injection protection <sql-injection-protection>`.
+
By definition, these extra lookups may not be portable to different database
engines (because you're explicitly writing SQL code) and violate the DRY
principle, so you should avoid them if possible.
@@ -1402,7 +1409,7 @@ Takes a raw SQL query, executes it, and returns a
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
can be iterated over just like an normal ``QuerySet`` to provide object instances.
-See the :ref:`executing-raw-queries` for more information.
+See the :doc:`/topics/db/sql` for more information.
.. warning::
diff --git a/docs/topics/db/sql.txt b/docs/topics/db/sql.txt
index d8e1487c1a..4a1b361f11 100644
--- a/docs/topics/db/sql.txt
+++ b/docs/topics/db/sql.txt
@@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and
__ `performing raw queries`_
__ `executing custom SQL directly`_
+.. warning::
+
+ You should be very careful whenever you write raw SQL. Every time you use
+ it, you should properly escape any parameters that the user can control
+ by using ``params`` in order to protect against SQL injection attacks.
+ Please read more about :ref:`SQL injection protection
+ <sql-injection-protection>`.
+
.. _executing-raw-queries:
Performing raw queries
diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index aaee7d8977..f1d987b3c4 100644
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -79,6 +79,7 @@ HSTS for supported browsers.
Be very careful with marking views with the ``csrf_exempt`` decorator unless
it is absolutely necessary.
+.. _sql-injection-protection:
SQL injection protection
========================