I'm writing a web app with the django framework. I've written a login function for users. How can I protect the input from SQL-Injections in the most efficient way?
To protect your Django app from SQL injection attacks, you should always use parameterized queries when interacting with the database. In Django, this means using the query APIs provided by the Django ORM, such as the filter() and get() methods, instead of constructing raw SQL queries.

By using the Django ORM, the framework will automatically handle escaping any data that is passed to the query, preventing SQL injection attacks. For example, the following code demonstrates how to use the filter() method to fetch a user based on their username:

from django.contrib.auth.models import User

def login(username, password):
    user = User.objects.filter(username=username).first()
    if user and user.check_password(password):
        # Login successful
    else:
        # Login failed

This code is safe from SQL injection attacks because the username value is passed to the filter() method as a parameter, rather than being included directly in the SQL query. The Django ORM automatically handles escaping the username value to prevent SQL injection.

In general, it's best practice to always use parameterized queries when interacting with the database, regardless of the framework you are using. This will help ensure that your application is protected against SQL injection attacks, and will make your code easier to read and maintain.
SQL Injection (SQLi) is one of the most dangerous classes of web vulnerabilities. Thankfully, it’s becoming increasingly rare — thanks mostly to increasing use of database abstraction layers like Django’s ORM — but where it occurs it can be devastating. SQLi happens when code incorrectly constructs SQL queries that contain user input. 
Django’s ORM uses parameterized statements everywhere, so it is highly resistant to SQLi. Thus, if you’re using the ORM to make database queries you can be fairly confident that your app is safe.

However, there are still a few cases where you need to be aware of injection attacks; a very small minority of APIs are not 100% safe. These are where you should focus your auditing, and where your automated code analysis should focus its checks.
1. Raw Queries : Occasionally, the ORM isn’t expressive enough, and you need raw SQL. Before you do, consider whether there are ways to avoid it
2. AVOID: Queryset.extra()
3. Always pass parameterized statements — even if your parameter list is empty