Changes between Initial Version and Version 1 of Ticket #25705, comment 18
- Timestamp:
- Jul 15, 2024, 9:15:37 PM (4 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #25705, comment 18
initial v1 1 1 > So if raw(str(qs.query)) is a risk, then quoting the parameters would fix it. 2 2 3 I was not arguing that it is not possible to cause SQL injection today by using `raw(str(qs.query))` but that the moment we do ''fix it'' by quoting parameters and we must ensure to safely support this anti-pattern.3 I was not arguing that it is not possible to cause SQL injection today by using `raw(str(qs.query))` but that the moment we do ''fix it'' by quoting parameters we must ensure to safely support this anti-pattern going forward unless we document `sql_with_params` as the blessed raw of doing that. 4 4 5 5 > And as I said just after that, that alternative was rejected in the past, would be too much effort and I was only mentioning it as the only way to fix it in every backend. I should have been clearer that I wasn't pushing for this option.