On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:
-- Hi Lev dev,Write your query like thissqlRawQuery = "Your query ... Field name= {}".format (userInput)ThanksBhoopesh Kumar
No. Do **not** do this, ever.
Use SQL parameters:
query = 'SELECT * FROM whatever WHERE name = %s'
cursor.execute(query, (user_input,))
Bhoopesh please stop giving bad unsafe advice like this.
--
Daniel.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7bb94edb-c558-4dba-bb17-4e71e22b6685%40googlegroups.com.
No comments:
Post a Comment