mirror of
https://github.com/django/django.git
synced 2025-10-24 06:06:09 +00:00
Described how querysets are protected from SQL injection in more detail.
This commit is contained in:
@@ -90,14 +90,17 @@ SQL injection is a type of attack where a malicious user is able to execute
|
||||
arbitrary SQL code on a database. This can result in records
|
||||
being deleted or data leakage.
|
||||
|
||||
By using Django's querysets, the resulting SQL will be properly escaped by
|
||||
the underlying database driver. However, Django also gives developers power to
|
||||
write :ref:`raw queries <executing-raw-queries>` or execute
|
||||
:ref:`custom sql <executing-custom-sql>`. These capabilities should be used
|
||||
sparingly and you should always be careful to properly escape any parameters
|
||||
that the user can control. In addition, you should exercise caution when using
|
||||
:meth:`~django.db.models.query.QuerySet.extra` and
|
||||
:class:`~django.db.models.expressions.RawSQL`.
|
||||
Django's querysets are protected from SQL injection since their queries are
|
||||
constructed using query parameterization. A query's SQL code is defined
|
||||
separately from the query's parameters. Since parameters may be user-provided
|
||||
and therefore unsafe, they are escaped by the underlying database driver.
|
||||
|
||||
Django also gives developers power to write :ref:`raw queries
|
||||
<executing-raw-queries>` or execute :ref:`custom sql <executing-custom-sql>`.
|
||||
These capabilities should be used sparingly and you should always be careful to
|
||||
properly escape any parameters that the user can control. In addition, you
|
||||
should exercise caution when using :meth:`~django.db.models.query.QuerySet.extra`
|
||||
and :class:`~django.db.models.expressions.RawSQL`.
|
||||
|
||||
Clickjacking protection
|
||||
=======================
|
||||
|
Reference in New Issue
Block a user