id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
22493	Documentation for raw() and extra() should warn about SQL injection	Sasha Romijn	mardini	Using the [https://docs.djangoproject.com/en/dev/topics/db/sql/#django.db.models.Manager.raw raw()] and [https://docs.djangoproject.com/en/dev/ref/models/querysets/#extra extra()] methods can result in SQL injection vulnerabilities, if not used carefully. However, the documentation does not mention this. The [https://docs.djangoproject.com/en/dev/topics/security/#sql-injection-protection Security in Django] document does include a warning regarding raw() and extra(), but I think a SQL injection is potentially so severe that we should also note this in the documentation for raw() and extra() itself.	Cleanup/optimization	closed	Documentation	dev	Normal	fixed			Accepted	0	0	0	0	1	0