From: Federico Caselli <cfederico87@gmail.com>
Date: Tue, 10 Sep 2024 16:42:58 +0000 (+0200)
Subject: Mention that extract.field is used as sql string
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e79517d571ab6ab8a2e4e1a9bbd026bbb682df29;p=thirdparty%2Fsqlalchemy%2Fsqlalchemy.git

Mention that extract.field is used as sql string

Change-Id: Ieb32e298e8a1df3a31bf3a6e26b1aca381ef7a4f
---

diff --git a/lib/sqlalchemy/sql/_elements_constructors.py b/lib/sqlalchemy/sql/_elements_constructors.py
index 51d8ac3999..bdc0534abe 100644
--- a/lib/sqlalchemy/sql/_elements_constructors.py
+++ b/lib/sqlalchemy/sql/_elements_constructors.py
@@ -1159,6 +1159,9 @@ def extract(field: str, expr: _ColumnExpressionArgument[Any]) -> Extract:
 
     :param field: The field to extract.
 
+     .. warning:: This field is used as a literal SQL string.
+         **DO NOT PASS UNTRUSTED INPUT TO THIS STRING**.
+
     :param expr: A column or Python scalar expression serving as the
       right side of the ``EXTRACT`` expression.