From: Federico Caselli <cfederico87@gmail.com>
Date: Tue, 10 Sep 2024 16:42:58 +0000 (+0200)
Subject: Mention that extract.field is used as sql string
X-Git-Tag: rel_2_0_36~11^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be66fec79fd3c4ca4cd8b8b5c4f9fe26df17ca6b;p=thirdparty%2Fsqlalchemy%2Fsqlalchemy.git

Mention that extract.field is used as sql string

Change-Id: Ieb32e298e8a1df3a31bf3a6e26b1aca381ef7a4f
(cherry picked from commit e79517d571ab6ab8a2e4e1a9bbd026bbb682df29)
---

diff --git a/lib/sqlalchemy/sql/_elements_constructors.py b/lib/sqlalchemy/sql/_elements_constructors.py
index 51d8ac3999..bdc0534abe 100644
--- a/lib/sqlalchemy/sql/_elements_constructors.py
+++ b/lib/sqlalchemy/sql/_elements_constructors.py
@@ -1159,6 +1159,9 @@ def extract(field: str, expr: _ColumnExpressionArgument[Any]) -> Extract:
 
     :param field: The field to extract.
 
+     .. warning:: This field is used as a literal SQL string.
+         **DO NOT PASS UNTRUSTED INPUT TO THIS STRING**.
+
     :param expr: A column or Python scalar expression serving as the
       right side of the ``EXTRACT`` expression.