diff -r 61f2217dfc1c docs/topics/db/sql.txt
|
a
|
b
|
|
| 154 | 154 | |
| 155 | 155 | It's tempting to write the above query as:: |
| 156 | 156 | |
| 157 | | >>> query = 'SELECT * FROM myapp_person WHERE last_name = %s', % lname |
| | 157 | >>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname |
| 158 | 158 | >>> Person.objects.raw(query) |
| 159 | 159 | |
| 160 | 160 | **Don't.** |
| 161 | 161 | |
| 162 | 162 | Using the ``params`` list completely protects you from `SQL injection |
| 163 | | attacks`__`, a common exploit where attackers inject arbitrary SQL into |
| | 163 | attacks`__, a common exploit where attackers inject arbitrary SQL into |
| 164 | 164 | your database. If you use string interpolation, sooner or later you'll |
| 165 | 165 | fall victim to SQL injection. As long as you remember to always use the |
| 166 | 166 | ``params`` list you'll be protected. |