acko=# create table tmp_foo (id int);
CREATE TABLE
acko=# insert into tmp_foo values (1);
INSERT 0 1
acko=# insert into tmp_foo values (2);
INSERT 0 1
acko=# insert into tmp_foo values (3);
INSERT 0 1
acko=# select * from tmp_foo;
id
----
1
2
3
(3 rows)
In [1]: from django.db import connection
In [2]: conn = connection.cursor()
In [5]: conn.execute("select count(*) from tmp_foo")
In [6]: conn.fetchone()
Out[6]: (3,)
In [7]: conn.execute("select count(*) from tmp_foo where id > 1")
In [8]: conn.fetchone()
Out[8]: (2,)In [9]: id = "1"
In [10]: conn.execute("select count(*) from tmp_foo where id > %s" % id)
In [11]: conn.fetchone()
Out[11]: (2,)In [9]: id = "1"
In [10]: conn.execute("select count(*) from tmp_foo where id > %s", (id, ))
In [11]: conn.fetchone()
Out[11]: (2,)In [24]: id = "1; delete from tmp_foo"
In [25]: conn.execute("select count(*) from tmp_foo where id > %s" % id)
In [26]: conn.fetchall()
...
ProgrammingError: no results to fetchacko=# select * from tmp_foo;
id
----
(0 rows)
acko=# insert into tmp_foo values (1);
INSERT 0 1
acko=# insert into tmp_foo values (2);
INSERT 0 1
acko=# insert into tmp_foo values (3);
INSERT 0 1
acko=# select * from tmp_foo;
id
----
1
2
3
(3 rows)
In [27]: conn.execute("select count(*) from tmp_foo where id > %s", (id, ))
...
DataError: invalid input syntax for integer: "1; delete from tmp_foo"
LINE 1: select count(*) from tmp_foo where id > '1; delete from tmp_...acko=# select * from tmp_foo;
id
----
1
2
3
(3 rows)
immaculate and accurate explanation.