Skip to content

Instantly share code, notes, and snippets.

@jwlin

jwlin/views.py

Last active Apr 25, 2020
Embed
What would you like to do?
from django.http import HttpResponse
from django.shortcuts import get_object_or_404, render
from .models import Account, Client
def show(request):
uname = request.POST["uname"]
if "injection" in request.POST:
# Use raw SQL and string concatenation, resulting in SQL injection
accounts = Account.objects.raw(f'SELECT * FROM atm_account as a, atm_client as c WHERE a.client_id=c.id and c.username="{uname}"')
else:
# Use built-in ORM in Django
accounts = Account.objects.filter(client__username=uname)
return render(request, "atm/show.html", {"accounts": accounts})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment