Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#22493 closed Cleanup/optimization (fixed)

Documentation for raw() and extra() should warn about SQL injection

Reported by: Sasha Romijn Owned by: mardini
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Using the raw() and extra() methods can result in SQL injection vulnerabilities, if not used carefully. However, the documentation does not mention this. The Security in Django document does include a warning regarding raw() and extra(), but I think a SQL injection is potentially so severe that we should also note this in the documentation for raw() and extra() itself.

Change History (5)

comment:1 by Tim Graham, 10 years ago

Triage Stage: UnreviewedAccepted

extra() does say "Always use params instead of embedding values directly into where because params will ensure values are quoted correctly according to your particular backend. For example, quotes will be escaped correctly." but I agree this warning is not very prominent.

comment:2 by mardini, 10 years ago

Owner: changed from nobody to mardini
Status: newassigned

comment:3 by Tim Graham <timograham@…>, 10 years ago

Resolution: fixed
Status: assignedclosed

In 3776926cfe503f16c7195621da20c5b89bda70a2:

Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

comment:4 by Tim Graham <timograham@…>, 10 years ago

In 2b0e9aa57d4c5b5dbad7d300b4e383d384941034:

[1.6.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe503f16c7195621da20c5b89bda70a2 from master

comment:5 by Tim Graham <timograham@…>, 10 years ago

In ae1535606145df9c858d4c5a5a2d9a9cff9f3992:

[1.7.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe from master

Note: See TracTickets for help on using tickets.
Back to Top