hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
5990241c8fac43bb613f7eef9c516540d112d6ff
codeql/python/ql/test/experimental/library-tests/frameworks/django/SqlExecution.py
Rasmus Lerchedahl Petersen 5990241c8f Python: Support django models (with some caveats)
2020-10-20 03:20:00 +02:00

32 lines
1.4 KiB
Python
Raw Blame History

from django.db import connection, models
from django.db.models.expressions import RawSQL
def test_plain(username):
# GOOD -- Using parameters
connection.cursor().execute("SELECT * FROM users WHERE username = %s", username) # $getSql="SELECT * FROM users WHERE username = %s"
# BAD -- Using string formatting
connection.cursor().execute("SELECT * FROM users WHERE username = '%s'" % username) # $getSql=BinaryExpr
def test_context(username):
with connection.cursor() as cursor:
# GOOD -- Using parameters
cursor.execute("SELECT * FROM users WHERE username = %s", username) # $getSql="SELECT * FROM users WHERE username = %s"
# BAD -- Using string formatting
cursor.execute("SELECT * FROM users WHERE username = '%s'" % username) # $getSql=BinaryExpr
class User(models.Model):
pass
def test_model(username):
# GOOD -- Using parameters
User.objects.raw("SELECT * FROM users WHERE username = %s", (username,)) # $getSql="SELECT * FROM users WHERE username = %s"
# BAD -- other ways of executing raw SQL code with string interpolation
User.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % username)) # $getSql=BinaryExpr
User.objects.raw("insert into names_file ('name') values ('%s')" % username) # $getSql=BinaryExpr
User.objects.extra("insert into names_file ('name') values ('%s')" % username) # $getSql=BinaryExpr
Reference in New Issue View Git Blame Copy Permalink