Bird
0
0

You want to safely filter users by email domain using Django ORM. Which approach correctly prevents SQL injection?

hard📝 Application Q15 of 15
Django - Security Best Practices
You want to safely filter users by email domain using Django ORM. Which approach correctly prevents SQL injection? 
user_domain = request.GET.get('domain')
# Which code is safe?
A) User.objects.filter(email__endswith=user_domain)
B) User.objects.raw(f"SELECT * FROM users WHERE email LIKE '%{user_domain}'")
C) User.objects.filter(email__endswith='%' + user_domain)
D) User.objects.raw("SELECT * FROM users WHERE email LIKE '%" + user_domain + "'")
AUser.objects.filter(email__endswith=user_domain)
BUser.objects.raw(f"SELECT * FROM users WHERE email LIKE '%{user_domain}'")
CUser.objects.filter(email__endswith='%' + user_domain)
DUser.objects.raw("SELECT * FROM users WHERE email LIKE '%" + user_domain + "'")
Step-by-Step Solution
Solution:

  1. Step 1: Identify safe ORM filtering for email domain

    Using filter() with email__endswith=user_domain safely escapes input and builds query.

  2. Step 2: Analyze raw() and string concatenation risks

    Options B and D use raw SQL with string interpolation, risking injection. User.objects.filter(email__endswith='%' + user_domain) incorrectly adds '%' in Python string, not ORM pattern.

  3. Final Answer:

    User.objects.filter(email__endswith=user_domain) -> Option A

  4. Quick Check:

    Use ORM filter with lookup for safe input handling = A [OK]
Quick Trick: Use ORM lookups like __endswith, avoid raw SQL with user input [OK]
Common Mistakes:
MISTAKES
  • Using raw SQL with user input directly
  • Adding SQL wildcards in Python strings
  • Ignoring ORM's safe query building

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More Django Quizzes
Async Django - Async middleware - Quiz 12easy Caching - Cache framework configuration - Quiz 13medium Caching - Why caching matters for performance - Quiz 11easy DRF Advanced Features - Throttling for rate limiting - Quiz 14medium DRF Advanced Features - Filtering with django-filter - Quiz 11easy Deployment and Production - Gunicorn as WSGI server - Quiz 10hard Django REST Framework Basics - ModelSerializer for model-backed APIs - Quiz 8hard Django REST Framework Basics - ViewSets and routers - Quiz 5medium Django REST Framework Basics - DRF installation and setup - Quiz 15hard Testing Django Applications - Testing views with Client - Quiz 11easy