On Sat., Sep. 7, 2019, 8:21 a.m. Daniel Roseman, <dan...@roseman.org.uk> wrote:
> On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote: >> >> Hi Lev dev, >> >> Write your query like this >> >> >> sqlRawQuery = "Your query ... Field name= {}".format (userInput) >> >> Thanks >> Bhoopesh Kumar >> >> >>> >>> > No. Do **not** do this, ever. > > Use SQL parameters: > > query = 'SELECT * FROM whatever WHERE name = %s' > cursor.execute(query, (user_input,)) > > Bhoopesh please stop giving bad unsafe advice like this. > -- > Daniel. > Bhoopesh The reason is that the user input could be used to do something dangerous.... It's called SQL injection. The solution be Daniel prevents this. Look it up... Dave -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAJPFr9RNJp%3DgfKBOC3ApdHu8nbaRhazYNDG%2BzJ3V9-q9-xroQA%40mail.gmail.com.