Save db from SQL injections

esi/scraper/views.py

@@ -74,7 +74,7 @@ class NewJobCreateView(CreateView):
     def post(self, request, *args, **kwargs):
         name = request.POST.get('name')
         spider = Spider.objects.get(pk=request.POST.get('spider'))
-        query = request.POST.get('query')
+        query = self._validate_query(request.POST.get('query'))
         job = Job.objects.create(name=name, spider=spider, query=query)
         interval = request.POST.get('interval')
         if interval:
@@ -85,6 +85,15 @@ class NewJobCreateView(CreateView):
 
         return HttpResponseRedirect(reverse('job_list'))
 
+    def _validate_query(self, query):
+        block = [';', 'in', 'select']
+        if any(ext in query for ext in block):
+            print('Query is blocked')
+            return None
+        else:
+            return query
+
+
 
 @method_decorator(login_required, name='dispatch')
 class EditJobView(UpdateView):