summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/models/querysets.txt9
1 files changed, 8 insertions, 1 deletions
diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt
index 0f9ef88c25..84577d40fa 100644
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -1046,6 +1046,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
generated by a ``QuerySet``.
+.. warning::
+
+ You should be very careful whenever you use ``extra()``. Every time you use
+ it, you should escape any parameters that the user can control by using
+ ``params`` in order to protect against SQL injection attacks . Please
+ read more about :ref:`SQL injection protection <sql-injection-protection>`.
+
By definition, these extra lookups may not be portable to different database
engines (because you're explicitly writing SQL code) and violate the DRY
principle, so you should avoid them if possible.
@@ -1415,7 +1422,7 @@ Takes a raw SQL query, executes it, and returns a
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
can be iterated over just like an normal ``QuerySet`` to provide object instances.
-See the :ref:`executing-raw-queries` for more information.
+See the :doc:`/topics/db/sql` for more information.
.. warning::