On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:
>
> Hi Lev dev,
>
> Write your query like this
>
>
> sqlRawQuery = "Your query ... Field name= {}".format (userInput)
>
> Thanks
> Bhoopesh Kumar
>
>
>>
>>
No. Do **not** do this, ever.
Use SQL parameters:
query = 'SELECT * FROM whatever WHERE name = %s'
cursor.execute(query, (user_input,))
Bhoopesh please stop giving bad unsafe advice like this.
--
Daniel.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/7bb94edb-c558-4dba-bb17-4e71e22b6685%40googlegroups.com.
