0

After reading a response involving security django provides for sql injections. I am wondering what the docs mean by 'the underlying driver escapes the sql'. Does this mean, for lack of better word, that the 'database driver' checks the view/wherever the queryset is located for characteristics of the query, and denies 'characteristics' of certain queries?

I understand that this is kind of 'low-level' discussion, but I'm not understanding how underlying mechanisms are preventing this attack, and appreciate any simplified explaination of what is occuring here.

Link to docs

enter image description here

Charley Erd
  • 103
  • 1
  • 1
  • 7
  • 1
    Escaping simply means replacing special characters (such as `"`) with non-special "escaped" versions (such as `\"`). See https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work for an example – Selcuk Nov 29 '19 at 03:58

1 Answers1

1

To be precise we are dealing here with parameters escaping.

The django itself does not escape parameters values. It uses the API of the driver that in general looks similar to this (see for example driver for postgres or mysql):

driver.executeQuery(
  'select field1 from table_a where field2 = %(field2)s', {'field2': 'some value'}
)

The important thing to note here is that the parameter value (which may be provided by the user and is subject to sql injection) is not embedded into the query itself. The query is passed to the driver with placeholders for parameters values and the list or dict of parameters is passed in addition to that.

Driver then can either construct the SQL query with proper escaped values for parameters or use the API provided by the database itself which is similar in functionality (that is it gets query with placeholders and parameters values).

Django querysets use this approach to generate SQL and that what this piece of documentation is trying to say.

Roman-Stop RU aggression in UA
  • 14,905
  • 3
  • 48
  • 53