将param注入原始查询python

当使用（其中user_id=1）时，我可以得到结果，但当inject param时，我得到如下回溯：“user”对象是不可编辑的，任何关于inject param到原始查询的想法

my views.py：

 class TransactionViews(viewsets.ViewSet):
            def list(self, request):
                user = get_object_or_404(User, pk=request.user.id)
                queryset = Transaction.objects.raw("SELECT product.name, transaction.* from product inner join variant on product.id = variant.product_id inner join transactions_variants on variant.id = transactions_variants.variant_id inner join transaction on transactions_variants.transaction_id = transaction.id where user_id=%s",user)
                serializer = TransactionSerializer(queryset, many=True)
                return Response(serializer.data, status=200)

还有一个问题：

queryset = Transaction.objects.filter(user_id=user).exclude(deleted_at__isnull=False)

如何将此“.exclude（deleted_at_uuisnull=False）”转换为原始查询（此exclude是软删除的条件）

请试试这个：

queryset = Transaction.objects.raw("SELECT product.name, transaction.* from product inner join variant on product.id = variant.product_id inner join transactions_variants on variant.id = transactions_variants.variant_id inner join transaction on transactions_variants.transaction_id = transaction.id where user_id=%s",user.id) queryset=Transaction.objects.raw（“从product.id=variant.product\u id internal join transactions\u variants.id=transactions\u variants.variants\u id internal join Transaction\u variants.Transaction\u id=Transaction.id，其中用户\u id=%s”，user.id）中选择product.name，Transaction.* ，您需要将查询参数作为元组或列表传递-即使只有一个参数。瞧，你想要：

queryset = Transaction.objects.raw("your long query here where user_id=%s", [user])

---

别这样！您的代码对SQLi不安全。看。我不太懂，你能给我看一下我代码中的示例吗？我读过，但我如何在代码中应用curs？？：cmd=“update people set name=%s where id=%s”curs.execute（cmd，（name，id））nice it work@Pranitha，但我们必须将其放入[]=>[user.id]

queryset = Transaction.objects.raw("your long query here where user_id=%s", [user])