DJG103

This check looks for ways that Django SQL Injection protection is being bypassed in the extra() query set function, by using quoted parameters.

This check will inspect any string literal within the keyword-arguments:

• “where”, “select”, “tables”, “order_by”, “params”

Example

In this example, the value of the othercol is vulnerable to SQL injection:

qs.extra(
    select={'val': "select col from sometable where othercol = '%s'"},
    select_params=(someparam,),
)

This would also apply to the where argument:

MyDataModel.objects.extra(where=['headline="%s"'], params=['Lennon'])

Fixes

Remove the quotations from the string values:

MyDataModel.objects.extra(where=['headline=%s'], params=['Lennon'])

See Also

• Official Documentation