Document risks of running raw SQL queries #547
Labels
api: spanner
Issues related to the googleapis/python-spanner-django API.
priority: p2
Moderately-important priority. Fix may not be included in next release.
🚨
This issue needs some love.
security
type: docs
Improvement to the documentation for an API.
The django ORM allows users to perform raw SQL queries against the underlying DB. Among other risks, this can expose customers to SQL injection attacks if raw queries include unsanitized user input. This risk isn't unique to spanner, but we should document it clearly for library users.
We may also want to note that raw SQL queries aren't guaranteed to return a usable
QuerySet
, and tell users to prefer python-spanner'sexecute_sql
methods overManager.raw
for queries outside the scope of the ORM.The text was updated successfully, but these errors were encountered: