-1

Is it possible to inject a SQL attack in these queries? is it okay to insert user input in the query directly like below or it need a validation etap in advance :

    query = self.request.GET.get('q')
    query_result= Consultant.objects.filter(
            Q(first_name__icontains=query) |
            Q(last_name__icontains=query) |
            Q(group__title_techGroup__contains=query) |
            Q(practices__title_practice__contains=query)
        )
Anne Yo
  • 13
  • 2

1 Answers1

0

Yes, they're just as secure as .filter() is in general (unless you explicitly use e.g. RawSQL or .extra() to sidestep all security and tell Django that You Know What You're Doing).

AKX
  • 152,115
  • 15
  • 115
  • 172