diff options
| author | Moayad Mardini <moayad.m@gmail.com> | 2014-04-24 21:10:03 +0300 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-04-25 09:56:39 -0400 |
| commit | 2b0e9aa57d4c5b5dbad7d300b4e383d384941034 (patch) | |
| tree | e97a4d709c76036806a32cc18bb537e64c471809 | |
| parent | 42659ceb3f635b9eb640c0c7168e02fc71fabd05 (diff) | |
[1.6.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
Thanks Erik Romijn for the suggestion.
Backport of 3776926cfe503f16c7195621da20c5b89bda70a2 from master
| -rw-r--r-- | docs/ref/models/querysets.txt | 7 | ||||
| -rw-r--r-- | docs/topics/db/sql.txt | 8 | ||||
| -rw-r--r-- | docs/topics/security.txt | 1 |
3 files changed, 16 insertions, 0 deletions
diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt index 30b58a6343..dbca6b5806 100644 --- a/docs/ref/models/querysets.txt +++ b/docs/ref/models/querysets.txt @@ -975,6 +975,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL generated by a ``QuerySet``. +.. warning:: + + You should be very careful whenever you use ``extra()``. Every time you use + it, you should escape any parameters that the user can control by using + ``params`` in order to protect against SQL injection attacks . Please + read more about :ref:`SQL injection protection <sql-injection-protection>`. + By definition, these extra lookups may not be portable to different database engines (because you're explicitly writing SQL code) and violate the DRY principle, so you should avoid them if possible. diff --git a/docs/topics/db/sql.txt b/docs/topics/db/sql.txt index 823901946b..e577ca3648 100644 --- a/docs/topics/db/sql.txt +++ b/docs/topics/db/sql.txt @@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and __ `performing raw queries`_ __ `executing custom SQL directly`_ +.. warning:: + + You should be very careful whenever you write raw SQL. Every time you use + it, you should properly escape any parameters that the user can control + by using ``params`` in order to protect against SQL injection attacks. + Please read more about :ref:`SQL injection protection + <sql-injection-protection>`. + .. _executing-raw-queries: Performing raw queries diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 1ae5ddf78e..5fd62eb694 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -79,6 +79,7 @@ HSTS for supported browsers. Be very careful with marking views with the ``csrf_exempt`` decorator unless it is absolutely necessary. +.. _sql-injection-protection: SQL injection protection ======================== |