summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorpetedmarsh <petedmarsh@users.noreply.github.com>2016-07-21 15:28:31 +0100
committerTim Graham <timograham@gmail.com>2016-07-21 10:28:31 -0400
commit7bf3ba0d0c700670d13d7683eec7bd3eb3d4dd1f (patch)
tree4811c37a6cbdb722c9d8400e46b0f869b329f8cd /docs/ref
parentca32979cdcafe28cc9cba2c189787e536fef9bb9 (diff)
Fixed #26899 -- Documented why RawSQL params is a required parameter.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/models/expressions.txt4
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/ref/models/expressions.txt b/docs/ref/models/expressions.txt
index a07b57e815..667285adbb 100644
--- a/docs/ref/models/expressions.txt
+++ b/docs/ref/models/expressions.txt
@@ -459,7 +459,9 @@ should avoid them if possible.
You should be very careful to escape any parameters that the user can
control by using ``params`` in order to protect against :ref:`SQL injection
- attacks <sql-injection-protection>`.
+ attacks <sql-injection-protection>`. ``params`` is a required argument to
+ force you to acknowledge that you're not interpolating your SQL with user
+ provided data.
.. currentmodule:: django.db.models