On Thu, 2007-06-21 at 13:47 +0200, Michal wrote:
> Hello,
> I need to write some custom SQL in Django:
>
> from django.db import connection
> cursor = connection.cursor()
> cursor.execute("SELECT note FROM journals_journal WHERE LENGTH(note)
> > 0 AND note LIKE %s GROUP BY note ORDER BY note;", [q+'%'])
>
> where q is string, for example 'foo'.
>
> I have problems with it so I print out connection.queries and I was
> suprised, because foo% wasn't surrounded by ' or " :
>
> SELECT note FROM journals_journal WHERE LENGTH(note) > 0 AND note
> LIKE foo% GROUP BY note ORDER BY note;'
>
> Is this normal? Isn't there possibility for SQL inject?
No, because of the reason described in this email:
http://groups.google.com/group/django-users/msg/0f3f9d729413ee32
Regards,
Malcolm
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
