[Django] #22493: Documentation for raw() and extra() should warn about SQL injection

[Django]

#22493: Documentation for raw() and extra() should warn about SQL injection
--------------------------------------+--------------------
Reporter: erikr | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
--------------------------------------+--------------------
Using the
[https://docs.djangoproject.com/en/dev/topics/db/sql/#django.db.models.Manager.raw
raw()] and
[https://docs.djangoproject.com/en/dev/ref/models/querysets/#extra
extra()] methods can result in SQL injection vulnerabilities, if not used
carefully. However, the documentation does not mention this. The
[https://docs.djangoproject.com/en/dev/topics/security/#sql-injection-
protection Security in Django] document does include a warning regarding
raw() and extra(), but I think a SQL injection is potentially so severe
that we should also note this in the documentation for raw() and extra()
itself.

--
Ticket URL: <https://code.djangoproject.com/ticket/22493>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#22493: Documentation for raw() and extra() should warn about SQL injection

--------------------------------------+------------------------------------

Reporter: erikr | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0

--------------------------------------+------------------------------------
Changes (by timo):

* needs_better_patch: => 0
* needs_docs: => 0
* needs_tests: => 0
* stage: Unreviewed => Accepted

Comment:

`extra()` does say "Always use params instead of embedding values directly
into where because params will ensure values are quoted correctly
according to your particular backend. For example, quotes will be escaped
correctly." but I agree this warning is not very prominent.

--
Ticket URL: <https://code.djangoproject.com/ticket/22493#comment:1>

[Django]

#22493: Documentation for raw() and extra() should warn about SQL injection

--------------------------------------+------------------------------------
Reporter: erikr | Owner: mardini
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: master

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0

--------------------------------------+------------------------------------
Changes (by mardini):

* owner: nobody => mardini
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/22493#comment:2>

[Django]

#22493: Documentation for raw() and extra() should warn about SQL injection

--------------------------------------+------------------------------------
Reporter: erikr | Owner: mardini

Type: Cleanup/optimization | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed

Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0

--------------------------------------+------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: assigned => closed
* resolution: => fixed

Comment:

In [changeset:"3776926cfe503f16c7195621da20c5b89bda70a2"]:
{{{
#!CommitTicketReference repository=""
revision="3776926cfe503f16c7195621da20c5b89bda70a2"
Fixed #22493 - Added warnings to raw() and extra() docs about SQL
injection

Thanks Erik Romijn for the suggestion.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/22493#comment:3>

[Django]

#22493: Documentation for raw() and extra() should warn about SQL injection

--------------------------------------+------------------------------------
Reporter: erikr | Owner: mardini
Type: Cleanup/optimization | Status: closed

Component: Documentation | Version: master

Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0

--------------------------------------+------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"ae1535606145df9c858d4c5a5a2d9a9cff9f3992"]:
{{{
#!CommitTicketReference repository=""
revision="ae1535606145df9c858d4c5a5a2d9a9cff9f3992"
[1.7.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL
injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe from master
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/22493#comment:5>

[Django]

#22493: Documentation for raw() and extra() should warn about SQL injection

--------------------------------------+------------------------------------
Reporter: erikr | Owner: mardini
Type: Cleanup/optimization | Status: closed

Component: Documentation | Version: master

Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 1 | UI/UX: 0

--------------------------------------+------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"2b0e9aa57d4c5b5dbad7d300b4e383d384941034"]:
{{{
#!CommitTicketReference repository=""
revision="2b0e9aa57d4c5b5dbad7d300b4e383d384941034"
[1.6.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL
injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe503f16c7195621da20c5b89bda70a2 from master
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/22493#comment:4>