Are Django Q objects (complex queries) secure?

Question

I can't seem to find any resources explaining the security of Django's built in complex queries (Q objects, or F objects). Is it possible to inject a SQL attack in these queries? I did a small test:

from models import *
from django.db.models import Q
q = MyModel.objects.filter(Q(mycolumn__contains='%; DROP DATABASE mydatabase;'))
print q
>>> []
print q.query
>>> SELECT `mydatabase_mytable`.`mycolumn` FROM `mydatabase_mytable` WHERE 
    `mydatabase_mytable`.`mycolumn` LIKE BINARY %\%; DROP DATABASE mydatabase;%

This doesn't seem to have dropped my database though. What's going on here?

score 5 · Accepted Answer · answered Nov 25 '14 at 00:24

5

As you can see from your SQL, Django is escaping the LIKE clause. Here is a reference to what is happening in that case.

In general, Django does protect you from SQL injection attacks. Here is their security page. Note that you can get in trouble by executing custom SQL or by using "extra" carelessly, but otherwise, you are protected.

answered Nov 25 '14 at 00:24

Jon S.

1,378
8
14

Using `extra()`, or using underlying connection/cursor with raw SQL directly. – alecxe Nov 25 '14 at 01:08

Are Django Q objects (complex queries) secure?

1 Answers1

Linked

Related