Loading docs/ref/models/querysets.txt +8 −1 Original line number Diff line number Diff line Loading @@ -1033,6 +1033,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL generated by a ``QuerySet``. .. warning:: You should be very careful whenever you use ``extra()``. Every time you use it, you should escape any parameters that the user can control by using ``params`` in order to protect against SQL injection attacks . Please read more about :ref:`SQL injection protection <sql-injection-protection>`. By definition, these extra lookups may not be portable to different database engines (because you're explicitly writing SQL code) and violate the DRY principle, so you should avoid them if possible. Loading Loading @@ -1402,7 +1409,7 @@ Takes a raw SQL query, executes it, and returns a ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance can be iterated over just like an normal ``QuerySet`` to provide object instances. See the :ref:`executing-raw-queries` for more information. See the :doc:`/topics/db/sql` for more information. .. warning:: Loading docs/topics/db/sql.txt +8 −0 Original line number Diff line number Diff line Loading @@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and __ `performing raw queries`_ __ `executing custom SQL directly`_ .. warning:: You should be very careful whenever you write raw SQL. Every time you use it, you should properly escape any parameters that the user can control by using ``params`` in order to protect against SQL injection attacks. Please read more about :ref:`SQL injection protection <sql-injection-protection>`. .. _executing-raw-queries: Performing raw queries Loading docs/topics/security.txt +1 −0 Original line number Diff line number Diff line Loading @@ -79,6 +79,7 @@ HSTS for supported browsers. Be very careful with marking views with the ``csrf_exempt`` decorator unless it is absolutely necessary. .. _sql-injection-protection: SQL injection protection ======================== Loading Loading
docs/ref/models/querysets.txt +8 −1 Original line number Diff line number Diff line Loading @@ -1033,6 +1033,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL generated by a ``QuerySet``. .. warning:: You should be very careful whenever you use ``extra()``. Every time you use it, you should escape any parameters that the user can control by using ``params`` in order to protect against SQL injection attacks . Please read more about :ref:`SQL injection protection <sql-injection-protection>`. By definition, these extra lookups may not be portable to different database engines (because you're explicitly writing SQL code) and violate the DRY principle, so you should avoid them if possible. Loading Loading @@ -1402,7 +1409,7 @@ Takes a raw SQL query, executes it, and returns a ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance can be iterated over just like an normal ``QuerySet`` to provide object instances. See the :ref:`executing-raw-queries` for more information. See the :doc:`/topics/db/sql` for more information. .. warning:: Loading
docs/topics/db/sql.txt +8 −0 Original line number Diff line number Diff line Loading @@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and __ `performing raw queries`_ __ `executing custom SQL directly`_ .. warning:: You should be very careful whenever you write raw SQL. Every time you use it, you should properly escape any parameters that the user can control by using ``params`` in order to protect against SQL injection attacks. Please read more about :ref:`SQL injection protection <sql-injection-protection>`. .. _executing-raw-queries: Performing raw queries Loading
docs/topics/security.txt +1 −0 Original line number Diff line number Diff line Loading @@ -79,6 +79,7 @@ HSTS for supported browsers. Be very careful with marking views with the ``csrf_exempt`` decorator unless it is absolutely necessary. .. _sql-injection-protection: SQL injection protection ======================== Loading
