from django.db import connection user_input = "'; DROP TABLE users; --" query = "SELECT * FROM users WHERE username = %s" with connection.cursor() as cursor: cursor.execute(query, [user_input]) results = cursor.fetchall()

from django.db import connection user_input = "'; DROP TABLE users; --" query = f"SELECT * FROM users WHERE username = '{user_input}'" with connection.cursor() as cursor: cursor.execute(query) results = cursor.fetchall()

Pattern

DOM Operations

Reflows

Paint Cost

Verdict

Raw SQL with string interpolation

N/A

[X] Bad

Parameterized queries with ORM

N/A

[OK] Good

Practice

(1/5)

1. Which of the following best explains how Django ORM protects against SQL injection?

easy

A. It automatically escapes user inputs when building queries.

B. It disables all user inputs by default.

C. It requires manual escaping of inputs in queries.

D. It converts all queries to raw SQL strings.

Solution

Step 1: Understand Django ORM query building
Django ORM builds SQL queries by safely escaping user inputs automatically.
Step 2: Compare options with ORM behavior
Only automatic escaping matches Django ORM's protection against SQL injection.
Final Answer:
It automatically escapes user inputs when building queries. -> Option A
Quick Check:
Django ORM auto-escapes inputs = C [OK]

Hint: Remember: ORM escapes inputs automatically to prevent injection [OK]

Common Mistakes:

Thinking ORM disables inputs
Believing manual escaping is needed
Assuming ORM uses raw SQL strings

2. Which Django ORM method is safe to use for filtering records with user input?

easy

A. Model.objects.raw(f"SELECT * FROM table WHERE name = '{user_input}'")

B. Model.objects.filter("name = " + user_input)

C. Model.objects.filter(name=user_input)

D. Model.objects.execute_sql("SELECT * FROM table WHERE name = " + user_input)

Solution

Step 1: Identify safe ORM filtering syntax
Model.objects.filter(name=user_input) uses ORM's parameter binding and escapes input safely.
Step 2: Analyze other options for unsafe practices
Options A, B, and C build raw SQL strings or invalid syntax, risking injection.
Final Answer:
Model.objects.filter(name=user_input) -> Option C
Quick Check:
Use filter() with keyword args for safe queries = D [OK]

Hint: Use filter() with keyword arguments, not raw SQL strings [OK]

Common Mistakes:

Using raw SQL with string concatenation
Passing raw SQL strings to filter()
Ignoring ORM's parameter binding

3. What will be the output of this Django ORM query if user_input = "Robert'); DROP TABLE users;--"?

users = User.objects.filter(username=user_input)
print(users.query)

medium

A. A raw SQL query that deletes the users table

B. An empty query with no filtering

C. A syntax error due to unescaped quotes

D. A safe SQL query with escaped input preventing injection

Solution

Step 1: Understand ORM query with dangerous input
ORM escapes dangerous characters in user_input to prevent SQL injection.
Step 2: Analyze printed query behavior
Printed query shows safe SQL with escaped input, not raw injection or errors.
Final Answer:
A safe SQL query with escaped input preventing injection -> Option D
Quick Check:
ORM escapes dangerous input = B [OK]

Hint: ORM escapes dangerous input, so injection won't happen [OK]

Common Mistakes:

Assuming raw SQL runs as is
Expecting syntax errors from quotes
Thinking ORM ignores dangerous input

4. Identify the error in this Django ORM code that tries to prevent SQL injection:

query = "SELECT * FROM users WHERE username = '%s'" % user_input
users = User.objects.raw(query)

medium

A. The raw() method automatically escapes inputs, so no error.

B. Using raw SQL with string formatting allows SQL injection.

C. The filter() method should be used instead of raw().

D. The query string is missing parameter placeholders.

Solution

Step 1: Analyze string formatting with user input
Using % formatting inserts user_input directly, risking SQL injection.
Step 2: Understand raw() method behavior
raw() executes raw SQL without escaping, so injection risk remains.
Final Answer:
Using raw SQL with string formatting allows SQL injection. -> Option B
Quick Check:
String formatting + raw() = injection risk = A [OK]

Hint: Never build raw SQL with string formatting; use ORM methods [OK]

Common Mistakes:

Assuming raw() escapes inputs
Using raw SQL instead of filter()
Ignoring injection risk in string formatting

5. You want to safely filter users by email domain using Django ORM. Which approach correctly prevents SQL injection?

user_domain = request.GET.get('domain')
# Which code is safe?
A) User.objects.filter(email__endswith=user_domain)
B) User.objects.raw(f"SELECT * FROM users WHERE email LIKE '%{user_domain}'")
C) User.objects.filter(email__endswith='%' + user_domain)
D) User.objects.raw("SELECT * FROM users WHERE email LIKE '%" + user_domain + "'")

hard

A. User.objects.filter(email__endswith=user_domain)

B. User.objects.raw(f"SELECT * FROM users WHERE email LIKE '%{user_domain}'")

C. User.objects.filter(email__endswith='%' + user_domain)

D. User.objects.raw("SELECT * FROM users WHERE email LIKE '%" + user_domain + "'")

Solution

Step 1: Identify safe ORM filtering for email domain
Using filter() with email__endswith=user_domain safely escapes input and builds query.
Step 2: Analyze raw() and string concatenation risks
Options B and D use raw SQL with string interpolation, risking injection. User.objects.filter(email__endswith='%' + user_domain) incorrectly adds '%' in Python string, not ORM pattern.
Final Answer:
User.objects.filter(email__endswith=user_domain) -> Option A
Quick Check:
Use ORM filter with lookup for safe input handling = A [OK]

Hint: Use ORM lookups like __endswith, avoid raw SQL with user input [OK]

Common Mistakes:

Using raw SQL with user input directly
Adding SQL wildcards in Python strings
Ignoring ORM's safe query building

SQL injection protection via ORM in Django - Performance & Optimization

Start learning this pattern below

Practice

Solution

Step 1: Understand Django ORM query building

Step 2: Compare options with ORM behavior

Final Answer:

Quick Check:

Solution

Step 1: Identify safe ORM filtering syntax

Step 2: Analyze other options for unsafe practices

Final Answer:

Quick Check:

Solution

Step 1: Understand ORM query with dangerous input

Step 2: Analyze printed query behavior

Final Answer:

Quick Check:

Solution

Step 1: Analyze string formatting with user input

Step 2: Understand raw() method behavior

Final Answer:

Quick Check:

Solution

Step 1: Identify safe ORM filtering for email domain

Step 2: Analyze raw() and string concatenation risks

Final Answer:

Quick Check: