Reputation: 11794
icontains and SQL Security
I have a web app that allows users to enter a search query which will then retrieve models that match this search criteria. Here are my methods:
@staticmethod
def searchBody(query):
'''
Return all entries whose body text contains the query.
'''
return Entry.objects.get(text__icontains=query)
@staticmethod
def searchTitle(query):
'''
Return all entries whose title text contains the query.
'''
return Entry.objects.get(title__icontains=query)
@staticmethod
def searchAuthor(query):
'''
Return all entries whose author text contains the query.
'''
return Entry.objects.get(author.icontains=query)
My question is simply: is this secure as it stands? In other words, does incontains perform the necessary string escaping operations so a person can't inject SQL or Python code into the query to launch an attack?
Upvotes: 0
Views: 251
Answers (1)
Reputation: 55293
Yes, the Django ORM protects you against SQL injection.
Of course you can never be entirely sure that there is no security vulnerability in an application. Nevertheless, the ORM is the component responsible for protecting you against SQL injection, so you should assume it's safe and keep your django install up to date!
On an unrelated note, there is a typo in Entry.objects.get(author.icontains=query).
Also, using .get is going to throw a lot of errors here (whenever the object doesn't exist, or more than one exist). It doesn't do what your docstring says either.
You probably want to be using .filter instead.
Upvotes: 2
Related Questions
- SQLAlchemy + SQL Injection
- How can I prevent SQL injection in PYTHON-DJANGO?
- Django and SQL Injection with example
- Let desktop app based on Django, connect to remote DB is secure?
- Doesen't work LIKE icontains
- Are Django Q objects (complex queries) secure?
- Intermediate security layer (Django/SQL)
- How can I limit an SQL query to be nondestructive?
- SQL injection hacks and django
- How to translate icontains in django to SQL statement?