> I need to write some custom SQL in Django: > > from django.db import connection > cursor = connection.cursor() > cursor.execute("SELECT note FROM journals_journal WHERE LENGTH(note) > > 0 AND note LIKE %s GROUP BY note ORDER BY note;", [q+'%']) > > where q is string, for example 'foo'.
This should be writable in a slightly more Djangoic (I suppose if Python code is Pythonic, Django code is Djangoic? Djanonic? Djangonical? Djangoish?) fashion: entries = Journal.objects.filter(note__startswith = q) entries = entries.extra(where='length(note) > 0') (you might have to tweak that "length(note) > 0" bit, as Django mungs field-names a bit in the query). I'm not sure why you're GROUPing BY "note" as you don't have any aggregate functions in play in your example code. http://www.djangoproject.com/documentation/0.95/db-api/#startswith and the "where" section of http://www.djangoproject.com/documentation/0.95/db-api/#extra-select-none-where-none-params-none-tables-none > I have problems with it so I print out connection.queries and I was > suprised, because foo% wasn't surrounded by ' or " : > > SELECT note FROM journals_journal WHERE LENGTH(note) > 0 AND note > LIKE foo% GROUP BY note ORDER BY note;' > > Is this normal? Isn't there possibility for SQL inject? As Malcom noted, it's not quite what was sent to the DB. However, it /would/ be nice for debugging purposes to have the *exact* query sent to the DB. However, this would have to be supported on a per-backend basis. :( -tim --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---