On Sat., Sep. 7, 2019, 8:21 a.m. Daniel Roseman, <[email protected]>
wrote:
> On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:
>>
>> Hi Lev dev,
>>
>> Write your query like this
>>
>>
>> sqlRawQuery = "Your query ... Field name= {}".format (userInput)
>>
>> Thanks
>> Bhoopesh Kumar
>>
>>
>>>
>>>
> No. Do **not** do this, ever.
>
> Use SQL parameters:
>
> query = 'SELECT * FROM whatever WHERE name = %s'
> cursor.execute(query, (user_input,))
>
> Bhoopesh please stop giving bad unsafe advice like this.
> --
> Daniel.
>
Bhoopesh
The reason is that the user input could be used to do something
dangerous.... It's called SQL injection. The solution be Daniel prevents
this. Look it up...
Dave
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAJPFr9RNJp%3DgfKBOC3ApdHu8nbaRhazYNDG%2BzJ3V9-q9-xroQA%40mail.gmail.com.
