Do they just quote the string? Or do they use a 'bind variable' type idea?
Example:
If an attacker typed
' or 'a'='a
into a password input field for instance, would the ORM properly
prevent the attempted attack from working?
Sincerely,
Silas Snider
On 12/20/05, Adrian Holovaty <[EMAIL PROTECTED]> wrote:
>
> On 12/20/05, Kevin <[EMAIL PROTECTED]> wrote:
> > # my view
> > def view_article(request, article):
> > try:
> > articles.get_object(name__exact=article)
> > except:
> > return HttpResponseNotFound()
> >
> > render_to_response('view_article', {'article': article})
> >
> > My question is, can I trust that django's ORM won't allow "bad things"
> > to happen from the 'article' string received from the urlconf? Or do I
> > need to perform some validation on the argument before passing it to
> > get_object()?
>
> All the standard Django ORM functions, such as get_object() and
> get_list(), automatically quote all parameters within the SQL queries.
> So you don't have to worry about SQL injection.
>
> I'm hoping to write up a document about this soon.
>
> Adrian
>
> --
> Adrian Holovaty
> holovaty.com | djangoproject.com | chicagocrime.org
>
--
--------------------------------------------------------------------------
Silas Snider is a proud member of the Association of Wikipedians Who
Dislike Making Broad Judgements About the Worthiness of a General Category
of Article, and Who Are In Favor of the Deletion of Some Particularly Bad
Articles, but That Doesn't Mean They are Deletionist
(AWWDMBJAWGCAWAIFDSPBATDMTD) , and the Harmonious
Editing Club of Wikipedia.
--------------------------------------------------------------------------
