From 973b6ccbf1f81d2357d310ed44717fe37df96ac6 Mon Sep 17 00:00:00 2001 From: Mike Bayer Date: Mon, 6 Dec 2021 12:41:36 -0500 Subject: [PATCH] qualify the stringification warning the recipe which uses render_postcompile itself is not insecure as it still renders bound parameters and does not stringify any literal values. Change-Id: Ib5ac2f7ce37dc1415a67b117a9c31c0ee37270b3 --- doc/build/faq/sqlexpressions.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/build/faq/sqlexpressions.rst b/doc/build/faq/sqlexpressions.rst index cc629f4cc0..5dcf3e96ad 100644 --- a/doc/build/faq/sqlexpressions.rst +++ b/doc/build/faq/sqlexpressions.rst @@ -338,7 +338,9 @@ in the same way, such as SQLite's positional form:: .. warning:: - Remember, all of the above code recipes are **only to be used when**: + Remember, **all** of the above code recipes which stringify literal + values, bypassing the use of bound parameters when sending statements + to the database, are **only to be used when**: 1. the use is **debugging purposes only** @@ -346,7 +348,7 @@ in the same way, such as SQLite's positional form:: 3. only with **local, trusted input** - The above recipes for stringification of parameters are **not secure in + The above recipes for stringification of literal values are **not secure in any way and should never be used against production databases**. .. _faq_sql_expression_percent_signs: -- 2.47.2