Home Explore Help
Sign In
CityApper
/
django
mirror of https://github.com/django/django
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.
Moayad Mardini 11 years ago
parent
9e7f86b890
commit
3776926cfe
3 changed files with 17 additions and 1 deletions
Unified View Show Diff Stats
  1. 8 1
      docs/ref/models/querysets.txt
  2. 8 0
      docs/topics/db/sql.txt
  3. 1 0
      docs/topics/security.txt

+ 8 - 1
docs/ref/models/querysets.txt
View File 

@@ -1033,6 +1033,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
 
 ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
 
 ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
 
 generated by a ``QuerySet``.
 
 generated by a ``QuerySet``.
 
 
 
+.. warning::
 
+
 
+    You should be very careful whenever you use ``extra()``. Every time you use
 
+    it, you should escape any parameters that the user can control by using
 
+    ``params`` in order to protect against SQL injection attacks . Please
 
+    read more about :ref:`SQL injection protection <sql-injection-protection>`.
 
+
 
 By definition, these extra lookups may not be portable to different database
 
 By definition, these extra lookups may not be portable to different database
 
 engines (because you're explicitly writing SQL code) and violate the DRY
 
 engines (because you're explicitly writing SQL code) and violate the DRY
 
 principle, so you should avoid them if possible.
 
 principle, so you should avoid them if possible.
 
@@ -1402,7 +1409,7 @@ Takes a raw SQL query, executes it, and returns a
 
 ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
 
 ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
 
 can be iterated over just like an normal ``QuerySet`` to provide object instances.
 
 can be iterated over just like an normal ``QuerySet`` to provide object instances.
 
 
 
-See the :ref:`executing-raw-queries` for more information.
 
+See the :doc:`/topics/db/sql` for more information.
 
 
 
 .. warning::
 
 .. warning::

+ 8 - 0
docs/topics/db/sql.txt
View File 

@@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and
 
 __ `performing raw queries`_
 
 __ `performing raw queries`_
 
 __ `executing custom SQL directly`_
 
 __ `executing custom SQL directly`_
 
 
 
+.. warning::
 
+
 
+    You should be very careful whenever you write raw SQL. Every time you use
 
+    it, you should properly escape any parameters that the user can control
 
+    by using ``params`` in order to protect against SQL injection attacks.
 
+    Please read more about :ref:`SQL injection protection
 
+    <sql-injection-protection>`.
 
+
 
 .. _executing-raw-queries:
 
 .. _executing-raw-queries:
 
 
 
 Performing raw queries
 
 Performing raw queries

+ 1 - 0
docs/topics/security.txt
View File 

@@ -79,6 +79,7 @@ HSTS for supported browsers.
 
 Be very careful with marking views with the ``csrf_exempt`` decorator unless
 
 Be very careful with marking views with the ``csrf_exempt`` decorator unless
 
 it is absolutely necessary.
 
 it is absolutely necessary.
 
 
 
+.. _sql-injection-protection:
 
 
 
 SQL injection protection
 
 SQL injection protection
 
 ========================
 
 ========================