Hi,
I wanted to query the database whose model doesn’t exist, so I had to use .execute,
I am relatively new to this and I just want to know if this query can cause SQL injection in any way (WHERE LIKE query)
Addition of %% around %s wont work since % has to occur inside the string which makes it difficult, So I made this query
cursor.execute(“SELECT * from api_user WHERE mobile_no LIKE %s”, [’%’ + search + ‘%’])
Where search is a string variable obtained as query parameter
That is the correct of forming this query without SQL injection possibility. The use of '%' in params is safe.
A separate issue: SELECT * is a bit fragile since the database may change the order of the columns it returns after some migrations. It’s better to explicitly name the columns you want.
That said - you can use Django models to query arbitrary tables. See the inspectdb command and using a model with Meta.managed = False.
Thank you so much for resolving the issue and pointing out the alternative, will look into inspectdb command
Edit: Inspectdb method is a way better alternative, thank you for pointing it out