How can I prevent SQL injection in PYTHON-DJANGO?

python sql django security sql-injection
Jayron Soares picture Jayron Soares · Dec 9, 2013 · Viewed 24.6k times · Source

If a lamer input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example:

dinossauro = request.GET['username']

sql = "SELECT * FROM user_contacts WHERE username = '%s';" % username

To drop the tables or anything -- making the query:

INSERT INTO table (column) VALUES('`**`value'); DROP TABLE table;--`**`')

What may one do to prevent this?

Answer

Suor picture Suor · Dec 9, 2013

First, you probably should just use Django ORM, it will prevent any possibility of SQL injection.

If for any reason you can't or don't want to then you should use Python Database API. Here is the way you usually do that in Django:

from django.db import connection

cursor = connection.cursor()
cursor.execute('insert into table (column) values (%s)', (dinosaur,))
cursor.close()

You can also use handy python package to reduce the boilerplate:

from handy.db import do_sql

do_sql('insert into table (column) values (%s)', (dinosaur,))

Related questions

Getting the SQL from a Django QuerySet

How do I get the SQL that Django will use on the database from a QuerySet object? I'm trying to debug some strange behavior, but I'm not sure what queries are going to the database. Thanks for your help.

Read More
How to perform OR condition in django queryset?

I want to write a Django query equivalent to this SQL query: SELECT * from user where income >= 5000 or income is NULL. How to construct the Django queryset filter? User.objects.filter(income__gte=5000, income=0) This doesn't work, because it …

Read More
sql "LIKE" equivalent in django query

What is the equivalent of this SQL statement in django? SELECT * FROM table_name WHERE string LIKE pattern; How do I implement this in django? I tried result = table.objects.filter( pattern in string ) But that did not work. How …

Read More