diff options
| author | petedmarsh <petedmarsh@users.noreply.github.com> | 2016-07-21 15:28:31 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-07-21 10:29:06 -0400 |
| commit | 5cc619078860c13ae910b26cd2ab5c11508c023f (patch) | |
| tree | b49e50beeeea4db8b595a7265e075dee854f3b64 /docs/ref | |
| parent | c8d166241f5f3caf2fbb03b10f0d59346dedbc9a (diff) | |
[1.10.x] Fixed #26899 -- Documented why RawSQL params is a required parameter.
Backport of 7bf3ba0d0c700670d13d7683eec7bd3eb3d4dd1f from master
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/models/expressions.txt | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/ref/models/expressions.txt b/docs/ref/models/expressions.txt index 69fad99f47..1b199c1df6 100644 --- a/docs/ref/models/expressions.txt +++ b/docs/ref/models/expressions.txt @@ -463,7 +463,9 @@ should avoid them if possible. You should be very careful to escape any parameters that the user can control by using ``params`` in order to protect against :ref:`SQL injection - attacks <sql-injection-protection>`. + attacks <sql-injection-protection>`. ``params`` is a required argument to + force you to acknowledge that you're not interpolating your SQL with user + provided data. .. currentmodule:: django.db.models |
