var_id = 10
var_city = 20
var_state = 30
mymodel.objects.raw('''SELECT * from users
where id = %s and
city = %s and
state = %s ''', [var_id, var_city, var_state])
Warning
Do not use string formatting on raw queries!
It's tempting to write the above query as:
>>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname
>>> Person.objects.raw(query)
Don't.
Using the params list completely protects you from SQL injection attacks, a common exploit where attackers inject arbitrary SQL into your database. If you use string interpolation, sooner or later you'll fall victim to SQL injection. As long as you remember to always use the params list you'll be protected.
my_dict = {
'id': 10,
'city': 20,
'state': 30
}
mymodel.objects.raw('''SELECT * from users
where id = %(id)s and
city = %(city)s and
state = %(state)s ''', my_dict)
使用^{} argument to ^{} :
params
是参数列表。您将在查询字符串中使用%s
占位符(不管您的数据库引擎是什么);它们将替换为params列表中的参数。Django docs的重要说明:
您还可以在查询中使用字典和变量:
你可以在这里阅读更多内容:https://docs.djangoproject.com/en/1.10/topics/db/sql/#passing-parameters-into-raw
相关问题 更多 >
编程相关推荐