将param注入原始查询python
当使用(其中user_id=1)时,我可以得到结果,但当inject param时,我得到如下回溯:“user”对象是不可编辑的,任何关于inject param到原始查询的想法 my views.py:将param注入原始查询python,python,django,Python,Django,当使用(其中user_id=1)时,我可以得到结果,但当inject param时,我得到如下回溯:“user”对象是不可编辑的,任何关于inject param到原始查询的想法 my views.py: class TransactionViews(viewsets.ViewSet): def list(self, request): user = get_object_or_404(User, pk=request.user.id)
class TransactionViews(viewsets.ViewSet):
def list(self, request):
user = get_object_or_404(User, pk=request.user.id)
queryset = Transaction.objects.raw("SELECT product.name, transaction.* from product inner join variant on product.id = variant.product_id inner join transactions_variants on variant.id = transactions_variants.variant_id inner join transaction on transactions_variants.transaction_id = transaction.id where user_id=%s",user)
serializer = TransactionSerializer(queryset, many=True)
return Response(serializer.data, status=200)
还有一个问题:
queryset = Transaction.objects.filter(user_id=user).exclude(deleted_at__isnull=False)
如何将此“.exclude(deleted_at_uuisnull=False)”转换为原始查询(此exclude是软删除的条件)
请试试这个:
queryset = Transaction.objects.raw("SELECT product.name, transaction.* from product inner join variant on product.id = variant.product_id inner join transactions_variants on variant.id = transactions_variants.variant_id inner join transaction on transactions_variants.transaction_id = transaction.id where user_id=%s",user.id)
queryset=Transaction.objects.raw(“从product.id=variant.product\u id internal join transactions\u variants.id=transactions\u variants.variants\u id internal join Transaction\u variants.Transaction\u id=Transaction.id,其中用户\u id=%s”,user.id)中选择product.name,Transaction.*
,您需要将查询参数作为元组或列表传递-即使只有一个参数。瞧,你想要:
queryset = Transaction.objects.raw("your long query here where user_id=%s", [user])
别这样!您的代码对SQLi不安全。看。我不太懂,你能给我看一下我代码中的示例吗?我读过,但我如何在代码中应用curs??:cmd=“update people set name=%s where id=%s”curs.execute(cmd,(name,id))nice it work@Pranitha,但我们必须将其放入[]=>[user.id]
queryset = Transaction.objects.raw("your long query here where user_id=%s", [user])