Log in

Django ORM

  • Is the ORM using bound parameters for all the different backends? We must verify each one.
  • Can developers write raw SQL queries using bound parameters, or does it just use string interpolation behind the scenes?
  • Is the documentation clear about the risks of writing raw SQL queries with user input? What escaping mechanisms are provided to escape user-supplied data?
  • Is the ORM using bound parameters for all the different backends? We must verify each one.
  • Can developers write raw SQL queries using bound parameters, or does it just use string interpolation behind the scenes?
  • Is the documentation clear about the risks of writing raw SQL queries with user input? What escaping mechanisms are provided to escape user-supplied data?

Manager.raw

Raw SQL queries can be made with Manager.raw. When using this be sure to pass in query parameters as a list as the second parameter. Do not use string interpolation.

These grep queries might help you find instances in your application where you use raw SQL. Verify that they do not use string interpolation.

  • grep -R ".raw(" *
  • grep -R ".execute(" *
  • Version: latest
  • Edited by Craig Younkins on 7/26/10 3:52 PM
  • History
  • Edit

An OWASP project created by Craig Younkins

Powered by Moe and Google App Engine