are using django q objects (complex queries) with user input secure?

Is it possible to inject a SQL attack in these queries? is it okay to insert user input in the query directly like below or it need a validation etap in advance :

    query = self.request.GET.get('q')
    query_result= Consultant.objects.filter(
            Q(first_name__icontains=query) |
            Q(last_name__icontains=query) |
            Q(group__title_techGroup__contains=query) |

>Solution :

Yes, they’re just as secure as .filter() is in general (unless you explicitly use e.g. RawSQL or .extra() to sidestep all security and tell Django that You Know What You’re Doing).

Leave a Reply