On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:
>
> Hi Lev dev,
>
> Write your query like this
>
>
> sqlRawQuery = "Your query ... Field name= {}".format (userInput)
>
> Thanks
> Bhoopesh Kumar
>
>
>>
>>
No. Do **not** do this, ever.
Use SQL parameters:
query = 'SELECT * FROM whatever WHERE name = %s'
cursor.execute(query, (user_input,))
Bhoopesh please stop giving bad unsafe advice like this.
--
Daniel.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/7bb94edb-c558-4dba-bb17-4e71e22b6685%40googlegroups.com.
