What is the proper way to use raw sql in Django with params?

Question

Consider that I have a "working" PostgreSQL query -

SELECT sum((cart->> 'total_price')::int) as total_price FROM core_foo;

I want to use the raw query within Django, and I used the below code to get the result-

from django.db import connection

with connection.cursor() as cursor:
    query = """SELECT sum((cart->> 'total_price')::int) as total_price FROM core_foo;"""
    cursor.execute(query, [])
    row = cursor.fetchone()
    print(row)

But, I need to make this hard-coded query into a dynamic one with params( maybe, to prevent SQL injections). So, I converted the Django query into -

from django.db import connection

with connection.cursor() as cursor:
    query = 'SELECT sum((%(field)s->> %(key)s::int)) as foo FROM core_foo;'
    kwargs = {
        'field': 'cart',
        'key': 'total_price',
    }
    cursor.execute(query, kwargs)
    row = cursor.fetchone()
    print(row)

Unfortunately, I'm getting the following error -

DataError: invalid input syntax for type integer: "total_price"
LINE 1: SELECT sum(('cart'->> 'total_price'::int)) as foo FROM core_...

Note that; the field ( here the value is cart) input gets an additional quote symbol during the execution, which doesn't match the syntax.

Question

What is the proper way to pass kwargs to the cursor.execute(...)

with single/double quotes?
without single/double quotes?

you can only replace parameters with that construct never column names table names or json fields, for that you must use the string concatenation or replacing functionality — nbk, May 02 '23 at 18:58

score 1 · Answer 1 · answered May 02 '23 at 19:23

1

You should not pass field names through the parameters. The parameters only escape values.

You thus work with:

with connection.cursor() as cursor:
    field = 'cart'
    query = f'SELECT sum(({field}->> %(key)s::int)) as foo FROM core_foo;'
    kwargs = {
        'key': 'total_price',
    }
    cursor.execute(query, kwargs)
    row = cursor.fetchone()
    print(row)

This will of course not escape the field so if the field contains raw SQL, it is vulnerable to SQL injection.

This is one of the very many reasons not to use raw SQL queries.

If cart is a JSONField ^[Django-doc], you can query the JSONField ^[Django-doc]:

from django.db import models
from django.db.models import Sum
from django.db.models.functions import Cast

field = 'cart'
key = 'total_price'
Foo.objects.aggregate(
    total=Sum(Cast(f'{field}__{key}', output_field=models.IntegerField()))
)['total']

answered May 02 '23 at 19:23

Willem Van Onsem

443,496
30
428
555

The explanation makes sense! But, the Django ORM query doesn't seem to be working (FYI: [see this](https://stackoverflow.com/q/76160437/8283848)) – JPG May 03 '23 at 04:28
@JPG: what type of field is `cart` in the `Foo` model? – Willem Van Onsem May 03 '23 at 06:33
It is `JSONField` (postgres DB backend with Django 3.1.x) – JPG May 03 '23 at 06:45
@JPG: and what i the problem? What error do you get? – Willem Van Onsem May 03 '23 at 06:56
I created a separate SO post for that since I felt the issue supposed to be added in a better way - feel free to check https://stackoverflow.com/q/76160437/8283848 – JPG May 03 '23 at 07:16
@JPG: are you sure all the `total_price` data are integers? Not a `null`, JSON object, something else? – Willem Van Onsem May 03 '23 at 07:37
Yeah, I'm sure that all the `total_price` are integers without any `null` value – JPG May 03 '23 at 08:14

What is the proper way to use raw sql in Django with params?

Question

1 Answers1