Dean
Reputation: 8998
SQL injection hacks and django
Coming from a jsp and servlet background I am interested to know how django copes with SQL injection hacks. As a servlet and jsp developer I would use prepared statements which gives me some form of protection. How does django cope with custom queries, for example a custom search field.
Upvotes: 18
Views: 12298
Answers (1)
KillianDS
Reputation: 17186
If you use querysets, django will escape your variables automatically. If you use RAW queries or things like the .extra method you'll have to take extra care and for example use parameter binding. More information about the whole thing can be found here (also very good resource about other security concerns).
Upvotes: 22
Related Questions
- How do you avoid SQL Injection attacks in your Django Rest APIs if using native ORM?
- How exactly does django 'escape' sql injections with querysets?
- How can I prevent SQL injection in PYTHON-DJANGO?
- prevent SQL injection in django forms
- Django: Preventative measures for SQL Injection
- Django and SQL Injection with example
- Django request.POST.get SQL injection
- SQL injection on django app
- How can I limit an SQL query to be nondestructive?
- Accessing Django's SQL Purifier Off-Line