SQL injection from HTTP request data in Django raw() query

Critical Risk sql-injection
pythondjangosqlinjectiondatabaseraw-query

What it is

SQL injection vulnerability where untrusted request values are inserted into raw SQL strings without parameterization when calling QuerySet.raw(), potentially allowing attackers to read, modify, or delete database data and execute unintended SQL commands.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

User input from HTTP requests is directly concatenated or formatted into SQL strings passed to QuerySet.raw().

Root causes

Direct String Concatenation in raw() Queries

User input from HTTP requests is directly concatenated or formatted into SQL strings passed to QuerySet.raw().

Missing Parameterization

Failing to use Django's parameterized query support in raw() method.

Fixes

1

Use Django ORM Instead of Raw SQL

Replace raw SQL queries with Django's QuerySet filters and lookups which automatically handle parameterization.

View implementation 
User.objects.filter(username=user_input) instead of User.objects.raw(f'SELECT * FROM users WHERE username = {user_input}')
2

Use Parameterized Queries with raw()

When raw SQL is necessary, always use placeholders and pass parameters via the params argument.

View implementation 
User.objects.raw('SELECT * FROM users WHERE username = %s', [user_input])
3

Validate and Sanitize Input

Add input validation layers and use Django's built-in validators to restrict input to expected formats.

View implementation 
Validate that IDs are integers, usernames match expected patterns, etc.

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from http request data in django raw() query and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities