mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.6.x] Fixed queries that may return unexpected results on MySQL due to typecasting.

Browse Source 
This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3a from master
This commit is contained in:
Erik Romijn
2014-04-20 16:28:01 -04:00
committed by Tim Graham
parent d63e20942f
commit 5f0829a27e
6 changed files with 157 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/howto/custom-model-fields.txt
View File

@@ -501,6 +501,16 @@ For example::
return ''.join([''.join(l) for l in (value.north,
value.east, value.south, value.west)])
.. warning::
If your custom field uses the ``CHAR``, ``VARCHAR`` or ``TEXT``
types for MySQL, you must make sure that :meth:`.get_prep_value`
always returns a string type. MySQL performs flexible and unexpected
matching when a query is performed on these types and the provided
value is an integer, which can cause queries to include unexpected
objects in their results. This problem cannot occur if you always
return a string type from :meth:`.get_prep_value`.
Converting query values to database values
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~