Hi Faith,
On 20/06/2020 12.27, Faith Mwai wrote:
Am having a challenge of displaying data into my template table, the
function is;
def customers(request):
if request.method =='POST':
accountno= request.POST['accountno']
id= request.POST['id']
Mobilenumber = request.POST['Mobilenumber']
cursor = con.cursor()
querystring = ("Select Messages, amount, date from Accounts where accountno =
'accountno' or Mobilenumber = 'Mobilenumber' ")
cursor.execute(querystring)
Isn't this a textbook example of an SQL injection?
I seriously don't know if there's anything to prevent that in this code,
but someone else might know.
I'm mainly wondering why you're using raw SQL in the first place?
Kind regards,
Kasper Laudrup
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/40d1c9b2-ead4-3600-504b-4cdd7c49302f%40stacktrace.dk.
