how to pass user input into raw sql query ?
189 views
Skip to first unread message
leb dev
Sep 6, 2019, 6:59:04 AM9/6/19
to Django users
i have a django project that is connected to sql server database i am trying to write a select query #convert the Django ORM into SQL query
print("sql query = ",FilterQuery.query)
select * from table name where filed name = user input
can anyone help me with this?
Bhoopesh sisoudiya
Sep 6, 2019, 3:39:58 PM9/6/19
to django...@googlegroups.com
Hi Lev dev,
Write your query like this
sqlRawQuery = "Your query ... Field name= {}".format (userInput)
Thanks
Bhoopesh Kumar
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/fa888770-2a9a-4ff6-951b-be085c15cda8%40googlegroups.com.
Daniel Roseman
Sep 7, 2019, 11:20:39 AM9/7/19
to Django users
On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:
Hi Lev dev,Write your query like thissqlRawQuery = "Your query ... Field name= {}".format (userInput)ThanksBhoopesh Kumar
No. Do **not** do this, ever.
Use SQL parameters:
query = 'SELECT * FROM whatever WHERE name = %s'
cursor.execute(query, (user_input,))
Bhoopesh please stop giving bad unsafe advice like this.
--
Daniel.
David Grant
Sep 7, 2019, 3:05:58 PM9/7/19
to django...@googlegroups.com
Bhoopesh
The reason is that the user input could be used to do something dangerous.... It's called SQL injection. The solution be Daniel prevents this. Look it up...
Dave
Mario R. Osorio
Sep 7, 2019, 6:46:08 PM9/7/19
to Django users
Do not use string interpolation as proposed by Bhoopesh!!!
Take a look at:
testdevleb
Sep 8, 2019, 11:36:30 AM9/8/19
to django...@googlegroups.com
Sent from my Samsung Galaxy smartphone.
I tried daniel solution and this was right.
Reply all
Reply to author
Forward
0 new messages