0
0
Djangoframework~20 mins

SQL injection protection via ORM in Django - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
SQL Injection Defender
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
How does Django ORM protect against SQL injection?
Which of the following best explains how Django ORM prevents SQL injection attacks?
AIt automatically escapes query parameters and uses parameterized queries internally.
BIt disables all raw SQL queries by default to avoid injection.
CIt requires developers to manually sanitize all inputs before queries.
DIt encrypts all database queries before sending them to the database.
Attempts:
2 left
💡 Hint
Think about how query parameters are handled inside the ORM.
component_behavior
intermediate
1:30remaining
Output of a Django ORM filter with user input
Given the code below, what will be the output if user_input = "1 OR 1=1"?
Django
user_input = "1 OR 1=1"
results = MyModel.objects.filter(id=user_input)
print(results.query)
AEmpty queryset because filter fails
BSELECT ... WHERE id = 1 OR 1=1 (unsafe, injection possible)
CSyntaxError due to invalid filter argument
DSELECT ... WHERE id = '1 OR 1=1' (safe, no injection)
Attempts:
2 left
💡 Hint
Look at how Django ORM treats filter parameters as values, not code.
📝 Syntax
advanced
2:00remaining
Identify the unsafe raw SQL usage in Django
Which option shows unsafe raw SQL usage vulnerable to SQL injection?
AMyModel.objects.filter(name=user_input)
BMyModel.objects.raw("SELECT * FROM myapp_mymodel WHERE name = %s", [user_input])
CMyModel.objects.raw(f"SELECT * FROM myapp_mymodel WHERE name = '{user_input}'")
DMyModel.objects.get(pk=user_input)
Attempts:
2 left
💡 Hint
Look for string formatting inside raw SQL queries.
🔧 Debug
advanced
2:00remaining
Why does this Django raw query cause SQL injection?
Consider this code snippet: 
query = "SELECT * FROM myapp_mymodel WHERE username = '%s'" % user_input
results = MyModel.objects.raw(query)
What is the main problem here?
AThe raw() method does not support parameterized queries.
BUser input is directly inserted into the query string without escaping.
CThe query uses single quotes instead of double quotes.
DThe query string is missing a WHERE clause.
Attempts:
2 left
💡 Hint
Think about how string formatting works with user input.
state_output
expert
2:30remaining
Result count after filtering with unsafe input in Django ORM
Given the model Product with integer field id, and this code: 
user_input = "1 OR 1=1"
qs = Product.objects.filter(id=user_input)
count = qs.count()
What is the value of count if the database has 5 products with ids 1 to 5?
A0 because no product has id '1 OR 1=1'
B5 because the input causes SQL injection returning all rows
C1 because it matches product with id 1
DRaises a ValueError due to invalid integer filter
Attempts:
2 left
💡 Hint
Consider how Django ORM treats filter values and the field type.