SQL injection hacks and django

django sql-injection
Dean picture Dean · Jul 24, 2010 · Viewed 11.9k times · Source

Coming from a jsp and servlet background I am interested to know how django copes with SQL injection hacks. As a servlet and jsp developer I would use prepared statements which gives me some form of protection. How does django cope with custom queries, for example a custom search field.

Answer

KillianDS picture KillianDS · Jul 24, 2010

If you use querysets, django will escape your variables automatically. If you use RAW queries or things like the .extra method you'll have to take extra care and for example use parameter binding. More information about the whole thing can be found here (also very good resource about other security concerns).

Related questions

How can I prevent SQL injection in PYTHON-DJANGO?

If a lamer input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example: dinossauro = request.GET['username'] sql = "SELECT * FROM user_contacts WHERE username = '%s';" % username To drop the …

Read More
'pip' is not recognized as an internal or external command

I'm running into a weird error when trying to install Django on my computer. This is the sequence that I typed into my command line: C:\Python34> python get-pip.py Requirement already up-to-date: pip in c:\python34\lib\site-packages …

Read More
How can I upgrade specific packages using pip and a requirements file?

I'm using pip with a requirements file, in a virtualenv, for my Django projects. I'm trying to upgrade some packages, notably Django itself, and I'm getting an error about source code conflicts: Source in <virtualenv>/build/Django has …

Read More