|
|
@@ -1033,6 +1033,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
|
|
|
``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
|
|
|
generated by a ``QuerySet``.
|
|
|
|
|
|
+.. warning::
|
|
|
+
|
|
|
+ You should be very careful whenever you use ``extra()``. Every time you use
|
|
|
+ it, you should escape any parameters that the user can control by using
|
|
|
+ ``params`` in order to protect against SQL injection attacks . Please
|
|
|
+ read more about :ref:`SQL injection protection <sql-injection-protection>`.
|
|
|
+
|
|
|
By definition, these extra lookups may not be portable to different database
|
|
|
engines (because you're explicitly writing SQL code) and violate the DRY
|
|
|
principle, so you should avoid them if possible.
|
|
|
@@ -1402,7 +1409,7 @@ Takes a raw SQL query, executes it, and returns a
|
|
|
``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
|
|
|
can be iterated over just like an normal ``QuerySet`` to provide object instances.
|
|
|
|
|
|
-See the :ref:`executing-raw-queries` for more information.
|
|
|
+See the :doc:`/topics/db/sql` for more information.
|
|
|
|
|
|
.. warning::
|
|
|
|
Moayad Mardini