Skip to content

Instantly share code, notes, and snippets.



Last active Apr 25, 2020
What would you like to do?
from django.http import HttpResponse
from django.shortcuts import get_object_or_404, render
from .models import Account, Client
def show(request):
uname = request.POST["uname"]
if "injection" in request.POST:
# Use raw SQL and string concatenation, resulting in SQL injection
accounts = Account.objects.raw(f'SELECT * FROM atm_account as a, atm_client as c WHERE and c.username="{uname}"')
# Use built-in ORM in Django
accounts = Account.objects.filter(client__username=uname)
return render(request, "atm/show.html", {"accounts": accounts})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment