diff options
Diffstat (limited to 'docs/topics/db/sql.txt')
| -rw-r--r-- | docs/topics/db/sql.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/topics/db/sql.txt b/docs/topics/db/sql.txt index 823901946b..e577ca3648 100644 --- a/docs/topics/db/sql.txt +++ b/docs/topics/db/sql.txt @@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and __ `performing raw queries`_ __ `executing custom SQL directly`_ +.. warning:: + + You should be very careful whenever you write raw SQL. Every time you use + it, you should properly escape any parameters that the user can control + by using ``params`` in order to protect against SQL injection attacks. + Please read more about :ref:`SQL injection protection + <sql-injection-protection>`. + .. _executing-raw-queries: Performing raw queries |