From ae1535606145df9c858d4c5a5a2d9a9cff9f3992 Mon Sep 17 00:00:00 2001 From: Moayad Mardini Date: Thu, 24 Apr 2014 21:10:03 +0300 Subject: [PATCH] [1.7.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection Thanks Erik Romijn for the suggestion. Backport of 3776926cfe from master --- docs/ref/models/querysets.txt | 9 ++++++++- docs/topics/db/sql.txt | 8 ++++++++ docs/topics/security.txt | 1 + 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt index 0f9ef88c25c..84577d40fad 100644 --- a/docs/ref/models/querysets.txt +++ b/docs/ref/models/querysets.txt @@ -1046,6 +1046,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL generated by a ``QuerySet``. +.. warning:: + + You should be very careful whenever you use ``extra()``. Every time you use + it, you should escape any parameters that the user can control by using + ``params`` in order to protect against SQL injection attacks . Please + read more about :ref:`SQL injection protection `. + By definition, these extra lookups may not be portable to different database engines (because you're explicitly writing SQL code) and violate the DRY principle, so you should avoid them if possible. @@ -1415,7 +1422,7 @@ Takes a raw SQL query, executes it, and returns a ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance can be iterated over just like an normal ``QuerySet`` to provide object instances. -See the :ref:`executing-raw-queries` for more information. +See the :doc:`/topics/db/sql` for more information. .. warning:: diff --git a/docs/topics/db/sql.txt b/docs/topics/db/sql.txt index 72ded4cbdb6..fc10b0e4a97 100644 --- a/docs/topics/db/sql.txt +++ b/docs/topics/db/sql.txt @@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and __ `performing raw queries`_ __ `executing custom SQL directly`_ +.. warning:: + + You should be very careful whenever you write raw SQL. Every time you use + it, you should properly escape any parameters that the user can control + by using ``params`` in order to protect against SQL injection attacks. + Please read more about :ref:`SQL injection protection + `. + .. _executing-raw-queries: Performing raw queries diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 1ae5ddf78ed..5fd62eb6941 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -79,6 +79,7 @@ HSTS for supported browsers. Be very careful with marking views with the ``csrf_exempt`` decorator unless it is absolutely necessary. +.. _sql-injection-protection: SQL injection protection ========================