From 6e8508734b070b30db9259b64bb748fb2a5a1bfb Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Mon, 23 Oct 2017 08:21:38 -0400 Subject: [PATCH] Described how querysets are protected from SQL injection in more detail. --- docs/topics/security.txt | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 8d7b9c91f1..0eebdeb934 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -90,14 +90,17 @@ SQL injection is a type of attack where a malicious user is able to execute arbitrary SQL code on a database. This can result in records being deleted or data leakage. -By using Django's querysets, the resulting SQL will be properly escaped by -the underlying database driver. However, Django also gives developers power to -write :ref:`raw queries ` or execute -:ref:`custom sql `. These capabilities should be used -sparingly and you should always be careful to properly escape any parameters -that the user can control. In addition, you should exercise caution when using -:meth:`~django.db.models.query.QuerySet.extra` and -:class:`~django.db.models.expressions.RawSQL`. +Django's querysets are protected from SQL injection since their queries are +constructed using query parameterization. A query's SQL code is defined +separately from the query's parameters. Since parameters may be user-provided +and therefore unsafe, they are escaped by the underlying database driver. + +Django also gives developers power to write :ref:`raw queries +` or execute :ref:`custom sql `. +These capabilities should be used sparingly and you should always be careful to +properly escape any parameters that the user can control. In addition, you +should exercise caution when using :meth:`~django.db.models.query.QuerySet.extra` +and :class:`~django.db.models.expressions.RawSQL`. Clickjacking protection =======================