qualify the stringification warning

the recipe which uses render_postcompile itself is
not insecure as it still renders bound parameters
and does not stringify any literal values.

Change-Id: Ib5ac2f7ce37dc1415a67b117a9c31c0ee37270b3

diff --git a/doc/build/faq/sqlexpressions.rst b/doc/build/faq/sqlexpressions.rst
index cc629f4cc076dfc36a4f59cc815a7b229bcca3b3..5dcf3e96ad21af07764e672f81036a45ca7630da 100644 (file)
--- a/doc/build/faq/sqlexpressions.rst
+++ b/doc/build/faq/sqlexpressions.rst
@@ -338,7 +338,9 @@ in the same way, such as SQLite's positional form::
 
 .. warning::
 
-    Remember, all of the above code recipes are **only to be used when**:
+    Remember, **all** of the above code recipes which stringify literal
+    values, bypassing the use of bound parameters when sending statements
+    to the database, are **only to be used when**:
 
     1. the use is **debugging purposes only**
 
@@ -346,7 +348,7 @@ in the same way, such as SQLite's positional form::
 
     3. only with **local, trusted input**
 
-    The above recipes for stringification of parameters are **not secure in
+    The above recipes for stringification of literal values are **not secure in
     any way and should never be used against production databases**.
 
 .. _faq_sql_expression_percent_signs: