On Sat., Sep. 7, 2019, 8:21 a.m. Daniel Roseman, <daniel@roseman.org.uk> wrote:
On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:Hi Lev dev,Write your query like thissqlRawQuery = "Your query ... Field name= {}".format (userInput)ThanksBhoopesh KumarNo. Do **not** do this, ever.Use SQL parameters:query = 'SELECT * FROM whatever WHERE name = %s'cursor.execute(query, (user_input,))Bhoopesh please stop giving bad unsafe advice like this.--Daniel.
Bhoopesh
The reason is that the user input could be used to do something dangerous.... It's called SQL injection. The solution be Daniel prevents this. Look it up...
Dave
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAJPFr9RNJp%3DgfKBOC3ApdHu8nbaRhazYNDG%2BzJ3V9-q9-xroQA%40mail.gmail.com.
No comments:
Post a Comment