0

I have a few text fields in my django project and I've been learning about SQL injection. Is it important to strip the text fields of potential bad characters taht might make SQL injection easier? I imagine stripping possible bad characters such as { ;, but I am not sure. These fields are short bios about a person or a contact page and so I don't imagine that they would require such characters.

To be clear, I have taken other steps to protect my website such as am using these fields things such as generating dynamic sql queries.

Micah Pearce
  • 1,805
  • 3
  • 28
  • 61
  • Possible duplicate of [How can I prevent SQL injection in PYTHON-DJANGO?](https://stackoverflow.com/questions/20468143/how-can-i-prevent-sql-injection-in-python-django) – Bill Karwin Jul 27 '18 at 14:01

1 Answers1

1

Short answer is: you should be fine not to worry based on django docs -

SQL injection protection

SQL injection is a type of attack where a malicious user is able to execute > arbitrary SQL code on a database. This can result in records being deleted or data leakage.

Django’s querysets are protected from SQL injection since their queries are constructed using query parameterization. A query’s SQL code is defined separately from the query’s parameters. Since parameters may be user-provided and therefore unsafe, they are escaped by the underlying database driver.

Django also gives developers power to write raw queries or execute custom sql. These capabilities should be used sparingly and you should always be careful to properly escape any parameters that the user can control. In addition, you should exercise caution when using extra() and RawSQL.

https://docs.djangoproject.com/en/2.0/topics/security/#sql-injection-protection

Community
  • 1
  • 1
sahutchi
  • 2,223
  • 2
  • 19
  • 20