diff options
| author | Erik Romijn <eromijn@solidlinks.nl> | 2014-04-20 16:32:48 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-04-21 18:31:44 -0400 |
| commit | aa80f498de6d687e613860933ac58433ab71ea4b (patch) | |
| tree | 44c7b0893c379d2284868ffc3cdcd33c98c19722 /docs/ref | |
| parent | 1170f285ddd6a94a65f911a27788ba49ca08c0b0 (diff) | |
[1.4.x] Fixed queries that may return unexpected results on MySQL due to typecasting.
This is a security fix. Disclosure will follow shortly.
Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/databases.txt | 16 | ||||
| -rw-r--r-- | docs/ref/models/querysets.txt | 10 |
2 files changed, 26 insertions, 0 deletions
diff --git a/docs/ref/databases.txt b/docs/ref/databases.txt index 4c18658304..269197946e 100644 --- a/docs/ref/databases.txt +++ b/docs/ref/databases.txt @@ -432,6 +432,22 @@ MySQL does not support the ``NOWAIT`` option to the ``SELECT ... FOR UPDATE`` statement. If ``select_for_update()`` is used with ``nowait=True`` then a ``DatabaseError`` will be raised. +Automatic typecasting can cause unexpected results +-------------------------------------------------- + +When performing a query on a string type, but with an integer value, MySQL will +coerce the types of all values in the table to an integer before performing the +comparison. If your table contains the values ``'abc'``, ``'def'`` and you +query for ``WHERE mycolumn=0``, both rows will match. Similarly, ``WHERE mycolumn=1`` +will match the value ``'abc1'``. Therefore, string type fields included in Django +will always cast the value to a string before using it in a query. + +If you implement custom model fields that inherit from :class:`~django.db.models.Field` +directly, are overriding :meth:`~django.db.models.Field.get_prep_value`, or use +:meth:`extra() <django.db.models.query.QuerySet.extra>` or +:meth:`raw() <django.db.models.Manager.raw>`, you should ensure that you +perform the appropriate typecasting. + .. _sqlite-notes: SQLite notes diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt index 022a251e5c..2decddbc28 100644 --- a/docs/ref/models/querysets.txt +++ b/docs/ref/models/querysets.txt @@ -1041,6 +1041,16 @@ of the arguments is required, but you should use at least one of them. Entry.objects.extra(where=['headline=%s'], params=['Lennon']) +.. warning:: + + If you are performing queries on MySQL, note that MySQL's silent type coercion + may cause unexpected results when mixing types. If you query on a string + type column, but with an integer value, MySQL will coerce the types of all values + in the table to an integer before performing the comparison. For example, if your + table contains the values ``'abc'``, ``'def'`` and you query for ``WHERE mycolumn=0``, + both rows will match. To prevent this, perform the correct typecasting + before using the value in a query. + defer ~~~~~ |