Seth Buntin wrote:
> I got it!:
>
> def search(request):
> keywords = request.GET['keyword'].split()
> sql = ""
> first = True
> for word in keywords:
> if first:
> sql += "(title LIKE '%%" + word + "%%' OR description
> LIKE '%%" +
> word + "%%')"
> first = False
> else:
> sql += " AND (title LIKE '%%" + word + "%%' OR
> description LIKE '%%"
> + word + "%%')"
>
> results_list = Resource.objects.extra(where=[sql])
> return render_to_response('tick/base_results.html', {'results_list':
> results_list})
Hiya Seth,
Nice solution but I'd use the quoting ability for the sql database if
you are going to let humans near your application. They could do nasty
things to your application if you don't remove quotes and various
control characters.
The built in sql functions should quote your SQL so that extra bits of
sql aren't injected into your database e.g. drop table x or in
Microsoft SQL Server's case just about doing anything you want to the
whole box and surrounding network.
Look at the Django documentation on the Database API - at the bit about
"params" and for examples of sql injection look at the OWASP article -
http://www.owasp.org/index.php/SQL_injection.
Sorry if you knew this but if you did it's worth pointing out to others
tempted by your code snippet :-).
Good luck,
Shaun Laughey.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---
