My web application has a lot of forms. I don't use django form classes, since my forms are somewhat complicated (involve with a lot of javascript), so I write the forms and handle them at server by myself.
My question is about "cleaning" the fields data.
I know django forms has a clean() method which supposed to sanitize the data.
But isn't django built-in ORM already clean the data from SQL injection type attacks?
If I have similar code:
field = request.POST['field']
record = SomeModel.objects.get(pk=record_id)
record.field = field
record.save()
I POSTed a < script> tag with some javascript to my server, and I couldn't find any security hole here, since django sanitize the data that is printed in the template.
so what the clean() method adds here exactly, and does this code has any security problems?
The clean() method mainly validates the form data i.e. it verifies if the data inserted in the form fields fits the type of the field and respects some patterns. The SQL injection protection is build into ORM. So if you use django ORM querysets you should be protected from SQL injection attacks. As per docs:
By using Django’s querysets, the resulting SQL will be properly
escaped by the underlying database driver.
Only if you want to run raw SQL or custom SQL queries you have to properly escape any parameters that the user can control.
Related
I am new to Django Json Field. I have been creating models and migrating them for now. Now I am introduced to Jsonfield. What I have heard is, it is the best way to mitigate the migrations issue because of jsonfield. It is because, if we had to add fields or remove fields from the model after populating the fields (if we have used other regular fields like chafield and emailfield) in production, there may arrise migration issue which we can avoid if we use jsonfield becaue we can just pass any json data with any number of fields in the jsonfield. So, is this the best way to avoid migration issue?? I am seeking expert advice here, because there is no one I can ask and that is what I have heard.
It seems like this.
class Example(models.Model):
data = models.JSONField(null=False, default=dict)
So, instead of creating two models named Contacts and Feedback for saving the data of contact form and feedback form, I can simply use this same example model and validate to accept any data of many such forms existing in the frontend.
If you want to use JSON just to avoid migrations, then that's not a good idea.
Basically, there are these two rules for using JSON:
If the data doesn't have a strict structure.
If you don't need to query (filter, search, order, etc.) the database using the given data.
Consider this example:
class User:
email = EmailField()
address = JSONField()
The email is in a separate field because we want to easily query the database to check for duplicate sign-ups.
The address is in a JSONField because we won't need to query the database using address data.
However, some applications may require to query using address, for example, to list all users from a particular city. In that case, using JSON will be a bad choice.
We are migrating our intranet application and have decided to choose the Django framework. We control all of our database via source control and managed scripts, so we do not use the migrate feature to create tables for us. Views and Tables can change, all business logic is held in the database.
I want to make Django API endpoint which is basically select * from my_table_or_view; and Django can return a JSON response with the column names and values. Some database tables have close to 100 columns each so I don't want to write out each and every field name and type just to return a query. What happens if we add another column to the view - will I have to update it in Django as well? What if I change the column type - will my application fail as well?
The frontend is written in VueJS - it makes a request to the API endpoint and should use the columns selected in the frontend, obviously if I remove a column it will break but I don't want to have to add the column in the django framework even if it is not used.
I've read the raw SQL queries section of the docs but i'm not sure where this applies to. Does this logic sit in the views section?
I've tried directing a URL endpoint in URLS.py to a custom class in views.py but not sure this is correct, does this logic need to be in a serializer?
I'd like the simplest method possible, potentially not using models, just raw SQL is fine.
One option for you is to sync your db to django models every time you change your schema and then use it normally, both ORM and raw SQL queries would be possible.
There's a function called inspectdb that does that natively, here is a reference to it
https://docs.djangoproject.com/en/3.1/ref/django-admin/#inspectdb
I have created an application that uses django-rest-framework. The problem is that in production with lots of data, the rendering of HTML pages will timeout. This is caused, I believe, by the select fields that represent ForeignKey of the model that take too long to render when all the production data is available. What is the most approriate way to prevent this?
As far as I understand, the problem is with the selectbox loaded with tons of items. The solution that is being used in django admins is to use "raw_id_fields" for the choicefields (or foreign keys) that have lots of items.
Unfortunately, DRF doesn't support Raw ID fields for now. However, you can implement a similar approach by using autocomplete fields. Right now there isn't built-in support, but you can use some external packages as described in DRF's official documentation: http://www.django-rest-framework.org/topics/browsable-api/#autocomplete
You should use select_related()/prefetch_related queryset methods to fetch the associated objects, which fill your selects. Post your models, serializer and a queryset so we can make a real example.
I'm receiving an incoming POST from another site, below is how I currently get it. I'm new to Django, but few things jump out at me and I'm wondering if I should be concerned.
SQL Injection: As I cannot clean the post data is using request.POST['message'] open is SQL injection?
Security: is there a better way to do this?
#csrf_exempt
def incoming_message(request):
if request.POST:
# Match incoming keyword.
keyword = Keyword.objects.get(keyword=request.POST['message'])
Django has built in SQL injection prevention in its queryset driver.
By using Django’s querysets, the resulting SQL will be properly escaped by the underlying database driver.
Because you're using a queryset, you're covered for SQL injection. You may want to check that you're comfortable with the XSS protection that Django provides. Depending on how you use the data, you may need to escape it yourself.
I’m building a web forum using Django, including the built-in authentication module.
I’m using the built-in UserCreationForm to register users. However, as I‘ve decided to use e-mail addresses as the sole way to identify users, I’m generating a username for users before registering them.
To account for users who have already registered, before I generate a username, I check that a user doesn’t exist with the supplied e-mail address.
Is it safe to use the supplied e-mail address, directly from request.POST, in a query to the Django ORM, without doing any sanitisation on it? I can’t see anything in the documentation about data in request.POST being sanitised, but the ORM protects against SQL injection. Are there other potential attacks that I’m missing?
request.POST itself is not sanitized, but the Django ORM automatically sanitizes anything your throw at it, so yes, it's safe to simply pass it right to the ORM. Just be careful with using raw or extra.