Mention that extract.field is used as sql string

author Federico Caselli <cfederico87@gmail.com>

Tue, 10 Sep 2024 16:42:58 +0000 (18:42 +0200)

committer Federico Caselli <cfederico87@gmail.com>

Tue, 10 Sep 2024 16:42:58 +0000 (18:42 +0200)
author Federico Caselli <cfederico87@gmail.com>
Tue, 10 Sep 2024 16:42:58 +0000 (18:42 +0200)
committer Federico Caselli <cfederico87@gmail.com>
Tue, 10 Sep 2024 16:42:58 +0000 (18:42 +0200)
diff --git a/lib/sqlalchemy/sql/_elements_constructors.py b/lib/sqlalchemy/sql/_elements_constructors.py

index 51d8ac3999541c5dae8826777e51a916ff55eca4..bdc0534abe2c19176c3badc40e9621b358fceab0 100644 (file)
--- a/lib/sqlalchemy/sql/_elements_constructors.py
+++ b/lib/sqlalchemy/sql/_elements_constructors.py
@@ -1159,6 +1159,9 @@ def extract(field: str, expr: _ColumnExpressionArgument[Any]) -> Extract:
  
      :param field: The field to extract.
  
+     .. warning:: This field is used as a literal SQL string.
+         **DO NOT PASS UNTRUSTED INPUT TO THIS STRING**.
+
      :param expr: A column or Python scalar expression serving as the
        right side of the ``EXTRACT`` expression.
author	Federico Caselli <cfederico87@gmail.com>
	Tue, 10 Sep 2024 16:42:58 +0000 (18:42 +0200)
committer	Federico Caselli <cfederico87@gmail.com>
	Tue, 10 Sep 2024 16:42:58 +0000 (18:42 +0200)