0

I'm trying to send a query through Django python I also try to block any sql injection exploits

Can someone explain to me how messaging is done LIKE Query for example

"SELECT * FROM admin WHERE name LIKE '%myTitle%'

It's easy to configure Query like this

cursor.execute("SELECT * FROM admin WHERE name= %s", (_id, ));

But when inserting %s Many errors are made when canceling %% From the text, for example

SELECT * FROM admin WHERE name LIKE %s

When Query Done it be like

SELECT * FROM admin WHERE name 'MyTitle'

It is being implemented correctly, but I want it to be set %% among %s LIKE

SELECT * FROM admin WHERE name '%MyTitle%'

Can someone explain to me how to solve this problem

my Simple Script

from django.db import connection
title = "myTitle"
query = "SELECT * FROM admin WHERE name LIKE %s"
with connection.cursor() as cursor:
     cursor.execute(query, (title,))
Ghost Ghaith
  • 29
  • 1
  • 6

1 Answers1

1

Kindy check this page:

What is the SQL ''LIKE" equivalent on Django ORM queries?

That is django-ORM way.

https://docs.djangoproject.com/en/4.2/topics/db/sql/

That is jango way for raw queries

>>> query = "SELECT * FROM myapp_person WHERE last_name = %s" % lname
>>> Person.objects.raw(query)

What you are showing is NOT Django code, it is pure python-mysql.

For python-MySQL you should do as you do and it will care about quotes and injections.

But you should do like this

title_like = f"%{title}%"
cursor.execute(query, (title_like,))

Where title_like is like-string.

mysql like string which contains %

arheops
  • 15,544
  • 1
  • 21
  • 27
  • Thank you very much, yes I use python-mysql, because I am originally a php programmer and I like to write my queries manually without using Django ORM The solution was very simple, but it did not occur to me, thank you very much Is there any risk using python mysql, and use %s, in the sql injection? – Ghost Ghaith Aug 03 '23 at 14:53
  • That is bad practice. If you are using DJango, learn how to do it in Django. Otherwise next one dev can have hard time fixing all that. Also some features like read-replica, db rewrites, db routers etc will not work on your code. – arheops Aug 03 '23 at 17:08
  • In general, if someone state he learned Django and put that on interview - that is deny immediately. Nobody want support 100500 variants of code inside FRAMEWORK. – arheops Aug 03 '23 at 17:09
  • Thank you very much for the clarification. Do you advise me to learn Django ORM or continue what I am? – Ghost Ghaith Aug 03 '23 at 20:08
  • Orm is more readable. In most case if something can be done without perfomance issues using ORM, it is recommended use ORM. Note, that your case is perfectly fine with ORM. Also ORM can be hacked on application level when needed, while code like your will need change at every position where you used it. – arheops Aug 04 '23 at 02:06
  • You also can check SQLAlchemy. – arheops Aug 04 '23 at 02:07
  • Thank you bro I'm going to look up SQLAlchemy can you upvote this my question – Ghost Ghaith Aug 04 '23 at 03:38