[1.4.x] Fixed queries that may return unexpected results on MySQL due to typecasting.

This is a security fix. Disclosure will follow shortly. Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master
author: Erik Romijn <eromijn@solidlinks.nl> 2014-04-20 16:32:48 -0400
committer: Tim Graham <timograham@gmail.com> 2014-04-21 18:31:44 -0400
commit: aa80f498de6d687e613860933ac58433ab71ea4b (patch)
tree: 44c7b0893c379d2284868ffc3cdcd33c98c19722 /docs/ref/models/querysets.txt
parent: 1170f285ddd6a94a65f911a27788ba49ca08c0b0 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt
index 022a251e5c..2decddbc28 100644
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -1041,6 +1041,16 @@ of the arguments is required, but you should use at least one of them.
 
       Entry.objects.extra(where=['headline=%s'], params=['Lennon'])
 
+.. warning::
+
+    If you are performing queries on MySQL, note that MySQL's silent type coercion
+    may cause unexpected results when mixing types. If you query on a string
+    type column, but with an integer value, MySQL will coerce the types of all values
+    in the table to an integer before performing the comparison. For example, if your
+    table contains the values ``'abc'``, ``'def'`` and you query for ``WHERE mycolumn=0``,
+    both rows will match. To prevent this, perform the correct typecasting
+    before using the value in a query.
+
 defer
 ~~~~~
author	Erik Romijn <eromijn@solidlinks.nl>	2014-04-20 16:32:48 -0400
committer	Tim Graham <timograham@gmail.com>	2014-04-21 18:31:44 -0400
commit	aa80f498de6d687e613860933ac58433ab71ea4b (patch)
tree	44c7b0893c379d2284868ffc3cdcd33c98c19722 /docs/ref/models/querysets.txt
parent	1170f285ddd6a94a65f911a27788ba49ca08c0b0 (diff)