The value of "title" parameter in query string is "' OR 'a'='a" Code: qry = "SELECT * FROM books_book WHERE title=%s" book = Book.objects.raw(qry, [title]) Now %s will automatically escape
Code: qry = "SELECT * FROM books_book WHERE title=%s" book = Book.objects.raw(qry, [title])
Click here to see how SQL Injection works
Click here to see how SQL Injection works HTML file