On Sat., Sep. 7, 2019, 8:21 a.m. Daniel Roseman, <dan...@roseman.org.uk>
wrote:
> On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:
>>
>> Hi Lev dev,
>>
>> Write your query like this
>>
>>
>> sqlRawQuery = "Your query ... Field name= {}".format (userInput)
>>
>> Thanks
>> Bhoopesh Kumar
>>
>>
>>>
>>>
> No. Do **not** do this, ever.
>
> Use SQL parameters:
>
> query = 'SELECT * FROM whatever WHERE name = %s'
> cursor.execute(query, (user_input,))
>
> Bhoopesh please stop giving bad unsafe advice like this.
> --
> Daniel.
>
Bhoopesh
The reason is that the user input could be used to do something
dangerous.... It's called SQL injection. The solution be Daniel prevents
this. Look it up...
Dave
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAJPFr9RNJp%3DgfKBOC3ApdHu8nbaRhazYNDG%2BzJ3V9-q9-xroQA%40mail.gmail.com.
