SQL Injection

SQL Injection- How to avoid

The value of "title" parameter in query string is "' OR 'a'='a"

Code: qry = "SELECT * FROM books_book WHERE title=%s" book = Book.objects.raw(qry, [title]) Now %s will automatically escape

Book

Click here to see how SQL Injection works

Click here to see how SQL Injection works HTML file