[1.4.x] Fixed queries that may return unexpected results on MySQL due to typecasting.

This is a security fix. Disclosure will follow shortly. Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master
author: Erik Romijn <eromijn@solidlinks.nl> 2014-04-20 16:32:48 -0400
committer: Tim Graham <timograham@gmail.com> 2014-04-21 18:31:44 -0400
commit: aa80f498de6d687e613860933ac58433ab71ea4b (patch)
tree: 44c7b0893c379d2284868ffc3cdcd33c98c19722 /docs/howto/custom-model-fields.txt
parent: 1170f285ddd6a94a65f911a27788ba49ca08c0b0 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/howto/custom-model-fields.txt b/docs/howto/custom-model-fields.txt
index daaede8e15..fcbda032b7 100644
--- a/docs/howto/custom-model-fields.txt
+++ b/docs/howto/custom-model-fields.txt
@@ -482,6 +482,16 @@ For example::
             return ''.join([''.join(l) for l in (value.north,
                     value.east, value.south, value.west)])
 
+.. warning::
+
+    If your custom field uses the ``CHAR``, ``VARCHAR`` or ``TEXT``
+    types for MySQL, you must make sure that :meth:`.get_prep_value`
+    always returns a string type. MySQL performs flexible and unexpected
+    matching when a query is performed on these types and the provided
+    value is an integer, which can cause queries to include unexpected
+    objects in their results. This problem cannot occur if you always
+    return a string type from :meth:`.get_prep_value`.
+
 Converting query values to database values
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
author	Erik Romijn <eromijn@solidlinks.nl>	2014-04-20 16:32:48 -0400
committer	Tim Graham <timograham@gmail.com>	2014-04-21 18:31:44 -0400
commit	aa80f498de6d687e613860933ac58433ab71ea4b (patch)
tree	44c7b0893c379d2284868ffc3cdcd33c98c19722 /docs/howto/custom-model-fields.txt
parent	1170f285ddd6a94a65f911a27788ba49ca08c0b0 (diff)