On Thu, 2007-06-21 at 13:47 +0200, Michal wrote: > Hello, > I need to write some custom SQL in Django: > > from django.db import connection > cursor = connection.cursor() > cursor.execute("SELECT note FROM journals_journal WHERE LENGTH(note) > > 0 AND note LIKE %s GROUP BY note ORDER BY note;", [q+'%']) > > where q is string, for example 'foo'. > > I have problems with it so I print out connection.queries and I was > suprised, because foo% wasn't surrounded by ' or " : > > SELECT note FROM journals_journal WHERE LENGTH(note) > 0 AND note > LIKE foo% GROUP BY note ORDER BY note;' > > Is this normal? Isn't there possibility for SQL inject?
No, because of the reason described in this email: http://groups.google.com/group/django-users/msg/0f3f9d729413ee32 Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---