1
0
mirror of https://github.com/django/django.git synced 2025-10-23 21:59:11 +00:00

Fixed queries that may return unexpected results on MySQL due to typecasting.

This is a security fix; disclosure to follow shortly.
This commit is contained in:
Erik Romijn
2014-04-20 16:13:41 -04:00
committed by Tim Graham
parent c083e3815a
commit 75c0d4ea3a
6 changed files with 95 additions and 2 deletions

View File

@@ -66,6 +66,16 @@ options that make it very powerful.
database, but does nothing to enforce that. If the query does not
return rows, a (possibly cryptic) error will result.
.. warning::
If you are performing queries on MySQL, note that MySQL's silent type coercion
may cause unexpected results when mixing types. If you query on a string
type column, but with an integer value, MySQL will coerce the types of all values
in the table to an integer before performing the comparison. For example, if your
table contains the values ``'abc'``, ``'def'`` and you query for ``WHERE mycolumn=0``,
both rows will match. To prevent this, perform the correct typecasting
before using the value in a query.
Mapping query fields to model fields
------------------------------------