QuerySet.raw() built with unsafe string interpolation
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Model.objects.raw() is called with a query string built with an f-string, %-formatting, .format(), or concatenation instead of the parameterized ['%s', params] form. Django does not escape anything inside a raw() query string itself, so interpolated request-derived data is a direct SQL injection path.
Why it matters
Model.objects.raw() sends its query string to the database mostly as-is; Django does not parse or escape anything inside it beyond the parameter substitution you use explicitly. Building the query with an f-string, %-formatting, .format(), or string concatenation means any value that reaches that interpolation, including one taken from a request, becomes part of the SQL text, which is a direct SQL injection path.
How to fix it
Rewrite the call to use parameterized substitution: pass %s placeholders in the query string and the actual values as a second list/tuple argument, for example Model.objects.raw("SELECT * FROM app_model WHERE id = %s", [record_id]). Never build the query text itself from untrusted input, even after "sanitizing" it by hand.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo