SQL injection prevention via Django ORM exclusively. Use when: writing queries, reviewing data access, auditing for raw SQL.
| Rule | Enforcement |
|---|---|
| No raw SQL | cursor.execute() and .raw() are forbidden |
| ORM only | All queries via Django QuerySet API |
| Parameterized | ORM handles parameterization automatically |
| No string formatting | Never f-string or .format() in queries |
# SAFE: ORM parameterizes automatically
results = Firmware.objects.filter(name__icontains=user_query)
device = Device.objects.get(pk=device_id, user=request.user)
brands = Brand.objects.filter(slug__in=slug_list).order_by("name")
# SAFE: Complex lookups with Q objects
from django.db.models import Q
results = Firmware.objects.filter(
Q(name__icontains=query) | Q(description__icontains=query),
is_active=True,
)
# SAFE: Aggregation
from django.db.models import Count, Avg
stats = Firmware.objects.aggregate(
total=Count("id"),
avg_size=Avg("file_size"),
)
# Instead of: SELECT * FROM firmware WHERE name LIKE '%query%'
Firmware.objects.filter(name__icontains=query)
# Instead of: SELECT DISTINCT brand_id FROM firmware
Firmware.objects.values_list("brand_id", flat=True).distinct()
# Instead of: UPDATE firmware SET downloads = downloads + 1 WHERE id = ?
from django.db.models import F
Firmware.objects.filter(pk=fw_id).update(downloads=F("downloads") + 1)
# Instead of: complex JOIN
Firmware.objects.select_related("brand", "model").filter(brand__slug=slug)
connection.cursor() anywhere in application code.raw() QuerySet method.extra() QuerySet method (deprecated and unsafe).format() near any query constructionRawSQL() expressions& .\.venv\Scripts\python.exe -m ruff check . --fix
& .\.venv\Scripts\python.exe -m ruff format .
& .\.venv\Scripts\python.exe manage.py check --settings=app.settings_dev