Skip to content

django-raw-sql (S611)#

Derived from the flake8-bandit linter.

What it does#

Checks for uses of Django's RawSQL function.

Why is this bad?#

Django's RawSQL function can be used to execute arbitrary SQL queries, which can in turn lead to SQL injection vulnerabilities.


from django.db.models.expressions import RawSQL
from django.contrib.auth.models import User

User.objects.annotate(val=("%secure" % "nos", []))