在使用原始sql查询时,我在pythondjango中处理表单时遇到一些问题。我用https://docs.djangoproject.com/en/dev/topics/db/sql/作为参考。我在尝试迭代从原始sql查询返回的RawQuerySet时遇到错误。任何帮助都将不胜感激。这是我观点的一部分。在
class SearchForm(forms.Form):
pr_name = forms.CharField(label="Pr Name", max_length=64, required=False)
org = forms.ModelChoiceField(queryset=Org.objects.all(), required=False)
group_name = forms.CharField(label="Unique Submission Name", max_length=64, required=False)
group_ref = forms.CharField(label="Ref", max_length=12, required=False)
group_url = forms.URLField(label="URL", required=False)
def search(request):
if request.method == 'POST':
form = SearchForm(request.POST)
if form.is_valid():
p_ids = []
g_ids = []
f_ids = []
logging.debug('hello1')
# Filter first
firstQuery = 'SELECT * FROM pr where '
pr_name = form.cleaned_data['pr_name']
if pr_name:
logging.debug('hello2')
firstQuery += '(name like \'%' + pr_name + '%\')'
else:
pass
logging.debug('hello3')
org = form.cleaned_data['org']
if org:
org = Org.objects.get(name = org)
org_id = org.id
firstQuery += '(org_id = ' + str(org_id) + ')'
else:
pass
firstQuery = firstQuery.replace(')(', ') AND (')
#logging.debug('First query: %s' % firstQuery)
p_search_results = P.objects.raw(firstQuery)
logging.debug('First query: %s' % p_search_results)
for x in p_search_results:
p_ids.append(x.id)
logging.debug('p_ids: %s' % p_ids)
# Filter Group
secondQuery = 'SELECT * FROM group where '
group_name = form.cleaned_data['group_name']
if group_name:
secondQuery += '(name like \'%' + group_name + '%\')'
else:
pass
group_ref = form.cleaned_data['group_ref']
if group_ref:
secondQuery += '(ref like \'%' + group_ref + '%\')'
else:
pass
group_url = form.cleaned_data['group_url']
if group_url:
secondQuery += '(method_url like \'%' + group_url + '%\')'
else:
pass
secondQuery = secondQuery.replace(')(', ') AND (')
logging.debug('Second query: %s' % secondQuery)
group_search_results = PredictionGroup.objects.raw(secondQuery)
logging.debug('Second query: %s' % group_search_results)
for x in group_search_results:
g_ids.append(x.id)
logging.debug('g_ids: %s' % g_ids)
...
...
...
错误是:
^{pr2}$
永远,永远,永远,永远,永远不要建立这样的SQL参数。事实上,这非常重要,我要再说一遍:永远不要,永远,永远,永远,永远,建立这样的SQL参数。您已经让自己完全有可能受到SQL注入攻击:如果有人将
"foo'; DELETE FROM pr;"
提交到您的pr_name
字段,会发生什么?没错,数据库将忠实地执行两个命令并删除pr表。在Django通常通过正确转义SQL命令的所有输入来保护您不受此影响。出于某种原因,您选择了绕过ORM:现在,有时您需要绕开ORM,以便制定复杂的查询,但是上面显示的查询中没有任何复杂的内容。在
你应该这样做:
等等。在
错误
not enough arguments for format string
来自如下行:您的字符串有两个需要替换的
%s
,但是在%
运算符之后只有一个变量。在我忍不住想知道堆栈跟踪是否出了问题,因为错误是由于错误地使用了
%
运算符。一个for
循环不会触发这个问题。在相关问题 更多 >
编程相关推荐