django raw without sql injection

To prevent SQL injection when using Django's raw SQL queries, you can utilize parameterized queries. This involves passing query parameters separately from the SQL string, which prevents malicious SQL code from being injected into the query. Here's an example of how to execute a raw SQL query with parameters in Django:

from django.db import connection

def get_user_by_id(user_id):
    with connection.cursor() as cursor:
        cursor.execute("SELECT * FROM auth_user WHERE id = %s", [user_id])
        row = cursor.fetchone()

    return row

In this example, the SQL query "SELECT * FROM auth_user WHERE id = %s" is executed with the user_id as a parameter. The parameter is passed as a separate argument to the cursor.execute() method, which ensures that it's properly escaped and prevents SQL injection.

By using parameterized queries in Django's raw SQL, you can protect your application from SQL injection attacks and maintain secure database interactions.