Book Image

Django Design Patterns and Best Practices - Second Edition

By : Arun Ravindran
Book Image

Django Design Patterns and Best Practices - Second Edition

By: Arun Ravindran

Overview of this book

Building secure and maintainable web applications requires comprehensive knowledge. The second edition of this book not only sheds light on Django, but also encapsulates years of experience in the form of design patterns and best practices. Rather than sticking to GoF design patterns, the book looks at higher-level patterns. Using the latest version of Django and Python, you’ll learn about Channels and asyncio while building a solid conceptual background. The book compares design choices to help you make everyday decisions faster in a rapidly changing environment. You’ll first learn about various architectural patterns, many of which are used to build Django. You’ll start with building a fun superhero project by gathering the requirements, creating mockups, and setting up the project. Through project-guided examples, you’ll explore the Model, View, templates, workflows, and code reusability techniques. In addition to this, you’ll learn practical Python coding techniques in Django that’ll enable you to tackle problems related to complex topics such as legacy coding, data modeling, and code reusability. You’ll discover API design principles and best practices, and understand the need for asynchronous workflows. During this journey, you’ll study popular Python code testing techniques in Django, various web security threats and their countermeasures, and the monitoring and performance of your application.
Table of Contents (21 chapters)
Title Page
Copyright and Credits
PacktPub.com
Contributors
Preface
Index

SQL injection


SQL injection is the second most common vulnerability of web applications, after XSS. The attack involves entering malicious SQL code into a query that gets executed on the database. It could result in data theft, by dumping database content, or the destruction of data, say, by using the DROP TABLE command.

If you are familiar with SQL, then you can understand the following piece of code; it looks up an email address based on the given username:

name = request.GET['user'] 

sql = "SELECT email FROM users WHERE username = '{}';".format(name) 

At first glance, it might appear that only the email address corresponds to the username mentioned as the GET parameter will be returned. However, imagine if an attacker entered ' OR '1'='1' in the form field, then the SQL code would be as follows:

SELECT email FROM users WHERE username = '' OR '1'='1'; 

Since this WHERE clause will always be true, the emails of all the users of your application will be returned. This can be a serious leak of...