Can you trust URL parameters passed in a GET request?


Do I need to sanitise parameters captured as part of the URL before using them to carry queries and comparisons? Thanks

You must never trust what is sent to you from a browser.

Whether you need to “sanitize” it or otherwise filter it depends upon exactly how you’re going to use it. But you must not use it without ensuring that no supplied input can cause problems.

This means that using it as the parameter in a filter is probably safe. However, using that input to dynamically create a query where that parameter is used to identify which fields to search or what models are queried, would not be safe without some type of test.

1 Like

Thanks, I think I see the distinction but would like to be sure. To be more specific, I have three path convertors in my URL, two slugs and a UUID (I want to keep the url scheme consistent, which is why I have three parameters). These are being passed to a feed class, is it safe to use the parameters in the FeedClass.get_object() method, to return the object with a ModelClass.object.get() call?

I guess it comes down to what django is doing to match and process the url parameters, i.e can I be sure that the parameters are not malicious sql code?

See Security in Django | Django documentation | Django

Brilliant that answers it, I’m fine to use the url parameters in my objects.get() call, thanks again