Is it possible to inject a SQL attack in these queries? is it okay to insert user input in the query directly like below or it need a validation etap in advance :
query = self.request.GET.get('q')
query_result= Consultant.objects.filter(
Q(first_name__icontains=query) |
Q(last_name__icontains=query) |
Q(group__title_techGroup__contains=query) |
Q(practices__title_practice__contains=query)
)
>Solution :
Yes, they’re just as secure as .filter() is in general (unless you explicitly use e.g. RawSQL or .extra() to sidestep all security and tell Django that You Know What You’re Doing).