how to pass user input into raw sql query ?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

how to pass user input into raw sql query ?

leb dev
i have a django project that is connected to sql server  database i am trying to write a select query   #convert the Django ORM into SQL query
    print("sql query  = ",FilterQuery.query)
 
select * from table name where filed name = user input 


can anyone help me with this?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/fa888770-2a9a-4ff6-951b-be085c15cda8%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: how to pass user input into raw sql query ?

Bhoopesh sisoudiya
Hi Lev dev,

Write your query like this 


sqlRawQuery = "Your query ... Field name= {}".format (userInput)

Thanks
Bhoopesh Kumar
 


On Fri, Sep 6, 2019, 4:29 PM leb dev <[hidden email]> wrote:
i have a django project that is connected to sql server  database i am trying to write a select query   #convert the Django ORM into SQL query
    print("sql query  = ",FilterQuery.query)
 
select * from table name where filed name = user input 


can anyone help me with this?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/fa888770-2a9a-4ff6-951b-be085c15cda8%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAAk3c1OMymAb68VPSh%3DJjwhuM1Zx%2BoX9XJborLWYQiULD5BPZg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: how to pass user input into raw sql query ?

Daniel Roseman-2
On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:
Hi Lev dev,

Write your query like this 


sqlRawQuery = "Your query ... Field name= {}".format (userInput)

Thanks
Bhoopesh Kumar
 


No. Do **not** do this, ever. 

Use SQL parameters: 

    query = 'SELECT * FROM whatever WHERE name = %s'
    cursor.execute(query, (user_input,))

Bhoopesh please stop giving bad unsafe advice like this. 
--
Daniel. 

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7bb94edb-c558-4dba-bb17-4e71e22b6685%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: how to pass user input into raw sql query ?

David Grant


On Sat., Sep. 7, 2019, 8:21 a.m. Daniel Roseman, <[hidden email]> wrote:
On Friday, 6 September 2019 20:39:58 UTC+1, Bhoopesh sisoudiya wrote:
Hi Lev dev,

Write your query like this 


sqlRawQuery = "Your query ... Field name= {}".format (userInput)

Thanks
Bhoopesh Kumar
 


No. Do **not** do this, ever. 

Use SQL parameters: 

    query = 'SELECT * FROM whatever WHERE name = %s'
    cursor.execute(query, (user_input,))

Bhoopesh please stop giving bad unsafe advice like this. 
--
Daniel. 

Bhoopesh

The reason is that the user input could be used to do something dangerous.... It's called SQL injection. The solution be Daniel prevents this. Look it up...

Dave

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAJPFr9RNJp%3DgfKBOC3ApdHu8nbaRhazYNDG%2BzJ3V9-q9-xroQA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: how to pass user input into raw sql query ?

Mario R. Osorio
In reply to this post by leb dev
Do not use string interpolation as proposed by Bhoopesh!!!

Take a look at:

On Friday, September 6, 2019 at 6:59:04 AM UTC-4, leb dev wrote:
i have a django project that is connected to sql server  database i am trying to write a select query   #convert the Django ORM into SQL query
    print("sql query  = ",FilterQuery.query)
 
select * from table name where filed name = user input 


can anyone help me with this?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/14d1748a-9b51-47b6-83ad-7a4235c0ec9b%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: how to pass user input into raw sql query ?

leb dev
In reply to this post by David Grant




Sent from my Samsung Galaxy smartphone.

I tried daniel solution and this was right.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/5d751fca.1c69fb81.8be36.2078%40mx.google.com.