Hello, I need to write some custom SQL in Django: from django.db import connection cursor = connection.cursor() cursor.execute("SELECT note FROM journals_journal WHERE LENGTH(note) > 0 AND note LIKE %s GROUP BY note ORDER BY note;", [q+'%'])
where q is string, for example 'foo'. I have problems with it so I print out connection.queries and I was suprised, because foo% wasn't surrounded by ' or " : SELECT note FROM journals_journal WHERE LENGTH(note) > 0 AND note LIKE foo% GROUP BY note ORDER BY note;' Is this normal? Isn't there possibility for SQL inject? Regards Michal PS: I am using PostgreSQL 7.4.12 and psycopg-1.1.21 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---