Documentation for raw() and extra() should warn about SQL injection
Using the raw() and extra() methods can result in SQL injection vulnerabilities, if not used carefully. However, the documentation does not mention this. The Security in Django document does include a warning regarding raw() and extra(), but I think a SQL injection is potentially so severe that we should also note this in the documentation for raw() and extra() itself.
Change History
(5)
Triage Stage: |
Unreviewed → Accepted
|
Owner: |
changed from nobody to mardini
|
Status: |
new → assigned
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
extra()
does say "Always use params instead of embedding values directly into where because params will ensure values are quoted correctly according to your particular backend. For example, quotes will be escaped correctly." but I agree this warning is not very prominent.