Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#22493 closed Cleanup/optimization (fixed)

Documentation for raw() and extra() should warn about SQL injection

Reported by: Erik Romijn Owned by: mardini
Component: Documentation Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Using the raw() and extra() methods can result in SQL injection vulnerabilities, if not used carefully. However, the documentation does not mention this. The Security in Django document does include a warning regarding raw() and extra(), but I think a SQL injection is potentially so severe that we should also note this in the documentation for raw() and extra() itself.

Change History (5)

comment:1 Changed 2 years ago by Tim Graham

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Triage Stage: UnreviewedAccepted

extra() does say "Always use params instead of embedding values directly into where because params will ensure values are quoted correctly according to your particular backend. For example, quotes will be escaped correctly." but I agree this warning is not very prominent.

comment:2 Changed 2 years ago by mardini

Owner: changed from nobody to mardini
Status: newassigned

comment:3 Changed 2 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 3776926cfe503f16c7195621da20c5b89bda70a2:

Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

comment:4 Changed 2 years ago by Tim Graham <timograham@…>

In 2b0e9aa57d4c5b5dbad7d300b4e383d384941034:

[1.6.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe503f16c7195621da20c5b89bda70a2 from master

comment:5 Changed 2 years ago by Tim Graham <timograham@…>

In ae1535606145df9c858d4c5a5a2d9a9cff9f3992:

[1.7.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe from master

Note: See TracTickets for help on using tickets.
Back to Top