Django using cursor.execute for SQL WHERE LIKE querying


I wanted to query the database whose model doesn’t exist, so I had to use .execute,

I am relatively new to this and I just want to know if this query can cause SQL injection in any way (WHERE LIKE query)

Addition of %% around %s wont work since % has to occur inside the string which makes it difficult, So I made this query

cursor.execute(“SELECT * from api_user WHERE mobile_no LIKE %s”, [’%’ + search + ‘%’])

Where search is a string variable obtained as query parameter

That is the correct of forming this query without SQL injection possibility. The use of '%' in params is safe.

A separate issue: SELECT * is a bit fragile since the database may change the order of the columns it returns after some migrations. It’s better to explicitly name the columns you want.

That said - you can use Django models to query arbitrary tables. See the inspectdb command and using a model with Meta.managed = False.


Thank you so much for resolving the issue and pointing out the alternative, will look into inspectdb command

Edit: Inspectdb method is a way better alternative, thank you for pointing it out