## select提供简单数据
# SELECT age, (age > 18) as is_adult FROM myapp_person;
Person.objects.all().extra(select={‘is_adult‘: "age > 18"})
## where提供查询条件
# SELECT * FROM myapp_person WHERE first||last ILIKE ‘jeffrey%‘;
Person.objects.all().extra(where=["first||last ILIKE ‘jeffrey%‘"])
## table连接其它表
# SELECT * FROM myapp_book, myapp_person WHERE last = author_last
Book.objects.all().extra(table=[‘myapp_person‘], where=[‘last = author_last‘])
## params添参数
# !! 错误的方式 !!
first_name = ‘Joe‘ # 如果first_name中有SQL特定字符就会出现漏洞
Person.objects.all().extra(where=["first = ‘%s‘" % first_name])
# 正确方式
Person.objects.all().extra(where=["first = ‘%s‘"], params=[first_name])
extra源码
def extra(self, select=None, where=None, params=None, tables=None,
order_by=None, select_params=None):
"""
Adds extra SQL fragments to the query.
"""
assert self.query.can_filter(), "Cannot change a query once a slice has been taken"
clone = self._clone()
clone.query.add_extra(select, select_params, where, params, tables, order_by)
return clone
时间: 2024-12-17 11:42:01