Hello,
I need to write some custom SQL in Django:
from django.db import connection
cursor = connection.cursor()
cursor.execute("SELECT note FROM journals_journal WHERE LENGTH(note)
> 0 AND note LIKE %s GROUP BY note ORDER BY note;", [q+'%'])
where q is string, for example 'foo'.
I have problems with it so I print out connection.queries and I was
suprised, because foo% wasn't surrounded by ' or " :
SELECT note FROM journals_journal WHERE LENGTH(note) > 0 AND note
LIKE foo% GROUP BY note ORDER BY note;'
Is this normal? Isn't there possibility for SQL inject?
Regards
Michal
PS: I am using PostgreSQL 7.4.12 and psycopg-1.1.21
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
