First, why aren't you using the Django ORM for this?

首先，您为什么不为此使用 Django ORM？

MyClass.objects.filter( aField__contains=var1, secondField__exact=var2 )

Second, be sure you're getting the SQL you expect.

其次，确保您获得了您期望的 SQL。

stmt= "select... afield like '%%%s%%' and secondfield = '%s'..." % ( var1, var2 )
print stmt
cursor.execute( stmt )

Third, your method has a security hole called a SQL Injection Attack. You really should not be doing SQL like this.

第三，您的方法有一个安全漏洞，称为 SQL 注入攻击。你真的不应该像这样执行 SQL。

If you absolutely must do things outside Django's ORM, you have to use bind variables in your query, not string substitution. See http://docs.djangoproject.com/en/dev/topics/db/sql/#performing-raw-sql-queries.

如果你绝对必须在 Django 的 ORM 之外做一些事情，你必须在你的查询中使用绑定变量，而不是字符串替换。请参阅http://docs.djangoproject.com/en/dev/topics/db/sql/#performing-raw-sql-queries。

can hack string '%' into search string?

可以将字符串 '%' 破解为搜索字符串吗？

var1 = '%' + var1 + '%'

then query normally:

cursor.execute("select col1, col2 
                    from my_tablem                     where afield like %s
                    and secondfield = %s
                    order by 1 desc " , [var1, var2] )

I had a similar issue. I was trying to search among concatenated name fields. My query was something like:

我有一个类似的问题。我试图在串联的名称字段中进行搜索。我的查询是这样的：

sql = """SELECT * from auth_user WHERE lower(first_name) || ' ' || lower(last_name) = '%%%s%%'"""

User.objects.raw(sql, [q])

The problem was that the %% were breaking my query. The solution I wound up with was:

问题是 %% 破坏了我的查询。我最终的解决方案是：

q = '%' + q + '%'
sql = """SELECT * from auth_user WHERE lower(first_name) || ' ' || lower(last_name) = %s"""

User.objects.raw(sql, [q])

Persona.objects.raw("**SELECT** id,concat_ws(' ',nombre,apellido) **AS** nombre_completo **FROM** persona **GROUP BY** id **HAVING** concat_ws(' ',nombre,apellido) **ILIKE** '%s' " % ('%%' + query + '%%'))

(Postgresql 9.1)

(PostgreSQL 9.1)