Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.
This commit is contained in:
Moayad Mardini 2014-04-24 21:10:03 +03:00 committed by Tim Graham
parent 9e7f86b890
commit 3776926cfe
3 changed files with 17 additions and 1 deletions

View File

@ -1033,6 +1033,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
generated by a ``QuerySet``. generated by a ``QuerySet``.
.. warning::
You should be very careful whenever you use ``extra()``. Every time you use
it, you should escape any parameters that the user can control by using
``params`` in order to protect against SQL injection attacks . Please
read more about :ref:`SQL injection protection <sql-injection-protection>`.
By definition, these extra lookups may not be portable to different database By definition, these extra lookups may not be portable to different database
engines (because you're explicitly writing SQL code) and violate the DRY engines (because you're explicitly writing SQL code) and violate the DRY
principle, so you should avoid them if possible. principle, so you should avoid them if possible.
@ -1402,7 +1409,7 @@ Takes a raw SQL query, executes it, and returns a
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
can be iterated over just like an normal ``QuerySet`` to provide object instances. can be iterated over just like an normal ``QuerySet`` to provide object instances.
See the :ref:`executing-raw-queries` for more information. See the :doc:`/topics/db/sql` for more information.
.. warning:: .. warning::

View File

@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and
__ `performing raw queries`_ __ `performing raw queries`_
__ `executing custom SQL directly`_ __ `executing custom SQL directly`_
.. warning::
You should be very careful whenever you write raw SQL. Every time you use
it, you should properly escape any parameters that the user can control
by using ``params`` in order to protect against SQL injection attacks.
Please read more about :ref:`SQL injection protection
<sql-injection-protection>`.
.. _executing-raw-queries: .. _executing-raw-queries:
Performing raw queries Performing raw queries

View File

@ -79,6 +79,7 @@ HSTS for supported browsers.
Be very careful with marking views with the ``csrf_exempt`` decorator unless Be very careful with marking views with the ``csrf_exempt`` decorator unless
it is absolutely necessary. it is absolutely necessary.
.. _sql-injection-protection:
SQL injection protection SQL injection protection
======================== ========================