SQL injection from HTTP request data in raw SQL string in Django

Critical Risk sql-injection
pythondjangosqlinjectiondatabasetainted-input

What it is

SQL injection vulnerability where user-controlled request data is interpolated into SQL strings instead of using parameters or the ORM, potentially allowing attackers to exfiltrate or corrupt data, escalate privileges, or destroy tables.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

HTTP request data is directly inserted into SQL queries using string concatenation, format(), or f-strings.

Root causes

String Interpolation with User Input

HTTP request data is directly inserted into SQL queries using string concatenation, format(), or f-strings.

Bypassing Django ORM

Using raw database cursors without proper parameterization instead of Django's safe QuerySet methods.

Fixes

1

Use Django ORM QuerySets

Replace raw SQL with Django's QuerySet API which automatically handles parameterization and escaping.

View implementation 
Model.objects.filter(field=user_input) instead of raw SQL
2

Use Parameterized Queries

When raw SQL is necessary, use cursor.execute() with parameter placeholders.

View implementation 
cursor.execute('SELECT * FROM table WHERE col = %s', [user_input])
3

Input Validation

Validate and sanitize all user input before use, even with parameterized queries.

View implementation 
Use Django forms and validators to ensure data meets expected formats

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from http request data in raw sql string in django and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities