# You MUST pass the parameters list to avoid SQL Injection # https://docs.djangoproject.com/en/3.2/topics/db/sql/#passing-parameters-into-raw >>> lname = 'Doe' >>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])