mirror of https://github.com/django/django.git
[2.0.x] Fixed #28770 -- Warned that quoting a placeholder in a raw SQL string is unsafe.
Thanks Hynek Cernoch for the report and review.
Backport of 327f0f37ce
from master
This commit is contained in:
parent
518c11352c
commit
c869207ea2
|
@ -660,11 +660,19 @@ should avoid them if possible.
|
||||||
|
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
You should be very careful to escape any parameters that the user can
|
To protect against `SQL injection attacks
|
||||||
control by using ``params`` in order to protect against :ref:`SQL injection
|
<https://en.wikipedia.org/wiki/SQL_injection>`_, you must escape any
|
||||||
attacks <sql-injection-protection>`. ``params`` is a required argument to
|
parameters that the user can control by using ``params``. ``params`` is a
|
||||||
force you to acknowledge that you're not interpolating your SQL with user
|
required argument to force you to acknowledge that you're not interpolating
|
||||||
provided data.
|
your SQL with user-provided data.
|
||||||
|
|
||||||
|
You also must not quote placeholders in the SQL string. This example is
|
||||||
|
vulnerable to SQL injection because of the quotes around ``%s``::
|
||||||
|
|
||||||
|
RawSQL("select col from sometable where othercol = '%s'") # unsafe!
|
||||||
|
|
||||||
|
You can read more about how Django's :ref:`SQL injection protection
|
||||||
|
<sql-injection-protection>` works.
|
||||||
|
|
||||||
Window functions
|
Window functions
|
||||||
----------------
|
----------------
|
||||||
|
|
|
@ -1284,8 +1284,15 @@ generated by a ``QuerySet``.
|
||||||
|
|
||||||
You should be very careful whenever you use ``extra()``. Every time you use
|
You should be very careful whenever you use ``extra()``. Every time you use
|
||||||
it, you should escape any parameters that the user can control by using
|
it, you should escape any parameters that the user can control by using
|
||||||
``params`` in order to protect against SQL injection attacks . Please
|
``params`` in order to protect against SQL injection attacks.
|
||||||
read more about :ref:`SQL injection protection <sql-injection-protection>`.
|
|
||||||
|
You also must not quote placeholders in the SQL string. This example is
|
||||||
|
vulnerable to SQL injection because of the quotes around ``%s``::
|
||||||
|
|
||||||
|
"select col from sometable where othercol = '%s'" # unsafe!
|
||||||
|
|
||||||
|
You can read more about how Django's :ref:`SQL injection protection
|
||||||
|
<sql-injection-protection>` works.
|
||||||
|
|
||||||
By definition, these extra lookups may not be portable to different database
|
By definition, these extra lookups may not be portable to different database
|
||||||
engines (because you're explicitly writing SQL code) and violate the DRY
|
engines (because you're explicitly writing SQL code) and violate the DRY
|
||||||
|
|
|
@ -210,20 +210,26 @@ argument.
|
||||||
|
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
**Do not use string formatting on raw queries!**
|
**Do not use string formatting on raw queries or quote placeholders in your
|
||||||
|
SQL strings!**
|
||||||
|
|
||||||
It's tempting to write the above query as::
|
It's tempting to write the above query as::
|
||||||
|
|
||||||
>>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname
|
>>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname
|
||||||
>>> Person.objects.raw(query)
|
>>> Person.objects.raw(query)
|
||||||
|
|
||||||
**Don't.**
|
You might also think you should write your query like this (with quotes
|
||||||
|
around ``%s``)::
|
||||||
|
|
||||||
Using the ``params`` argument completely protects you from `SQL injection
|
>>> query = "SELECT * FROM myapp_person WHERE last_name = '%s'"
|
||||||
attacks`__, a common exploit where attackers inject arbitrary SQL into
|
|
||||||
your database. If you use string interpolation, sooner or later you'll
|
**Don't make either of these mistakes.**
|
||||||
fall victim to SQL injection. As long as you remember to always use the
|
|
||||||
``params`` argument you'll be protected.
|
As discussed in :ref:`sql-injection-protection`, using the ``params``
|
||||||
|
argument and leaving the placeholders unquoted protects you from `SQL
|
||||||
|
injection attacks`__, a common exploit where attackers inject arbitrary
|
||||||
|
SQL into your database. If you use string interpolation or quote the
|
||||||
|
placeholder, you're at risk for SQL injection.
|
||||||
|
|
||||||
__ https://en.wikipedia.org/wiki/SQL_injection
|
__ https://en.wikipedia.org/wiki/SQL_injection
|
||||||
|
|
||||||
|
@ -257,6 +263,9 @@ For example::
|
||||||
|
|
||||||
return row
|
return row
|
||||||
|
|
||||||
|
To protect against SQL injection, you must not include quotes around the ``%s``
|
||||||
|
placeholders in the SQL string.
|
||||||
|
|
||||||
Note that if you want to include literal percent signs in the query, you have to
|
Note that if you want to include literal percent signs in the query, you have to
|
||||||
double them in the case you are passing parameters::
|
double them in the case you are passing parameters::
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue