Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document risks of running raw SQL queries #547

Open
c24t opened this issue Oct 30, 2020 · 0 comments
Open

Document risks of running raw SQL queries #547

c24t opened this issue Oct 30, 2020 · 0 comments
Assignees
@asthamohta
Labels
api: spanner Issues related to the googleapis/python-spanner-django API. priority: p2 Moderately-important priority. Fix may not be included in next release. 🚨 This issue needs some love. security type: docs Improvement to the documentation for an API.

Comments

@c24t
Copy link
Contributor

c24t commented Oct 30, 2020

The django ORM allows users to perform raw SQL queries against the underlying DB. Among other risks, this can expose customers to SQL injection attacks if raw queries include unsanitized user input. This risk isn't unique to spanner, but we should document it clearly for library users.

We may also want to note that raw SQL queries aren't guaranteed to return a usable QuerySet, and tell users to prefer python-spanner's execute_sql methods over Manager.raw for queries outside the scope of the ORM.
@c24t c24t added the security label Oct 30, 2020
@product-auto-label product-auto-label bot added the api: spanner Issues related to the googleapis/python-spanner-django API. label Oct 30, 2020
@yoshi-automation yoshi-automation added triage me I really want to be triaged. 🚨 This issue needs some love. labels Oct 31, 2020
@skuruppu skuruppu added priority: p2 Moderately-important priority. Fix may not be included in next release. type: docs Improvement to the documentation for an API. and removed 🚨 This issue needs some love. triage me I really want to be triaged. labels Nov 19, 2020
@yoshi-automation yoshi-automation added 🚨 This issue needs some love. and removed 🚨 This issue needs some love. labels Feb 17, 2021
@yoshi-automation yoshi-automation added the 🚨 This issue needs some love. label Apr 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asthamohta asthamohta

Labels
api: spanner Issues related to the googleapis/python-spanner-django API. priority: p2 Moderately-important priority. Fix may not be included in next release. 🚨 This issue needs some love. security type: docs Improvement to the documentation for an API.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@skuruppu @asthamohta @c24t @yoshi-automation