1
0
mirror of https://github.com/django/django.git synced 2025-10-24 22:26:08 +00:00

Described how querysets are protected from SQL injection in more detail.

This commit is contained in:
Tim Graham
2017-10-23 08:21:38 -04:00
parent 1e7dbbdec5
commit 6e8508734b

View File

@@ -90,14 +90,17 @@ SQL injection is a type of attack where a malicious user is able to execute
arbitrary SQL code on a database. This can result in records
being deleted or data leakage.
By using Django's querysets, the resulting SQL will be properly escaped by
the underlying database driver. However, Django also gives developers power to
write :ref:`raw queries <executing-raw-queries>` or execute
:ref:`custom sql <executing-custom-sql>`. These capabilities should be used
sparingly and you should always be careful to properly escape any parameters
that the user can control. In addition, you should exercise caution when using
:meth:`~django.db.models.query.QuerySet.extra` and
:class:`~django.db.models.expressions.RawSQL`.
Django's querysets are protected from SQL injection since their queries are
constructed using query parameterization. A query's SQL code is defined
separately from the query's parameters. Since parameters may be user-provided
and therefore unsafe, they are escaped by the underlying database driver.
Django also gives developers power to write :ref:`raw queries
<executing-raw-queries>` or execute :ref:`custom sql <executing-custom-sql>`.
These capabilities should be used sparingly and you should always be careful to
properly escape any parameters that the user can control. In addition, you
should exercise caution when using :meth:`~django.db.models.query.QuerySet.extra`
and :class:`~django.db.models.expressions.RawSQL`.
Clickjacking protection
=======================