Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection
Thanks Erik Romijn for the suggestion.
This commit is contained in:
parent
9e7f86b890
commit
3776926cfe
|
@ -1033,6 +1033,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
|
||||||
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
|
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
|
||||||
generated by a ``QuerySet``.
|
generated by a ``QuerySet``.
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
You should be very careful whenever you use ``extra()``. Every time you use
|
||||||
|
it, you should escape any parameters that the user can control by using
|
||||||
|
``params`` in order to protect against SQL injection attacks . Please
|
||||||
|
read more about :ref:`SQL injection protection <sql-injection-protection>`.
|
||||||
|
|
||||||
By definition, these extra lookups may not be portable to different database
|
By definition, these extra lookups may not be portable to different database
|
||||||
engines (because you're explicitly writing SQL code) and violate the DRY
|
engines (because you're explicitly writing SQL code) and violate the DRY
|
||||||
principle, so you should avoid them if possible.
|
principle, so you should avoid them if possible.
|
||||||
|
@ -1402,7 +1409,7 @@ Takes a raw SQL query, executes it, and returns a
|
||||||
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
|
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
|
||||||
can be iterated over just like an normal ``QuerySet`` to provide object instances.
|
can be iterated over just like an normal ``QuerySet`` to provide object instances.
|
||||||
|
|
||||||
See the :ref:`executing-raw-queries` for more information.
|
See the :doc:`/topics/db/sql` for more information.
|
||||||
|
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and
|
||||||
__ `performing raw queries`_
|
__ `performing raw queries`_
|
||||||
__ `executing custom SQL directly`_
|
__ `executing custom SQL directly`_
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
You should be very careful whenever you write raw SQL. Every time you use
|
||||||
|
it, you should properly escape any parameters that the user can control
|
||||||
|
by using ``params`` in order to protect against SQL injection attacks.
|
||||||
|
Please read more about :ref:`SQL injection protection
|
||||||
|
<sql-injection-protection>`.
|
||||||
|
|
||||||
.. _executing-raw-queries:
|
.. _executing-raw-queries:
|
||||||
|
|
||||||
Performing raw queries
|
Performing raw queries
|
||||||
|
|
|
@ -79,6 +79,7 @@ HSTS for supported browsers.
|
||||||
Be very careful with marking views with the ``csrf_exempt`` decorator unless
|
Be very careful with marking views with the ``csrf_exempt`` decorator unless
|
||||||
it is absolutely necessary.
|
it is absolutely necessary.
|
||||||
|
|
||||||
|
.. _sql-injection-protection:
|
||||||
|
|
||||||
SQL injection protection
|
SQL injection protection
|
||||||
========================
|
========================
|
||||||
|
|
Loading…
Reference in New Issue