[1.9.x] Fixed #26899 -- Documented why RawSQL params is a required parameter.

Backport of 7bf3ba0d0c700670d13d7683eec7bd3eb3d4dd1f from master
author: petedmarsh <petedmarsh@users.noreply.github.com> 2016-07-21 15:28:31 +0100
committer: Tim Graham <timograham@gmail.com> 2016-07-21 10:29:18 -0400
commit: 8f7008c48769b2b4340581b6b0f6c41d99c2c1df (patch)
tree: b9f5b2c53d42cd58de340120e60d3a72d9006091 /docs/ref/models
parent: bc151b692a2e0f35a15b72a5bafcb42dea263461 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/ref/models/expressions.txt b/docs/ref/models/expressions.txt
index 4eb16e361f..051d92d543 100644
--- a/docs/ref/models/expressions.txt
+++ b/docs/ref/models/expressions.txt
@@ -447,7 +447,9 @@ should avoid them if possible.
 
     You should be very careful to escape any parameters that the user can
     control by using ``params`` in order to protect against :ref:`SQL injection
-    attacks <sql-injection-protection>`.
+    attacks <sql-injection-protection>`. ``params`` is a required argument to
+    force you to acknowledge that you're not interpolating your SQL with user
+    provided data.
 
 .. currentmodule:: django.db.models
author	petedmarsh <petedmarsh@users.noreply.github.com>	2016-07-21 15:28:31 +0100
committer	Tim Graham <timograham@gmail.com>	2016-07-21 10:29:18 -0400
commit	8f7008c48769b2b4340581b6b0f6c41d99c2c1df (patch)
tree	b9f5b2c53d42cd58de340120e60d3a72d9006091 /docs/ref/models
parent	bc151b692a2e0f35a15b72a5bafcb42dea263461 (diff)