From e79517d571ab6ab8a2e4e1a9bbd026bbb682df29 Mon Sep 17 00:00:00 2001
From: Federico Caselli <cfederico87@gmail.com>
Date: Tue, 10 Sep 2024 18:42:58 +0200
Subject: [PATCH] Mention that extract.field is used as sql string

Change-Id: Ieb32e298e8a1df3a31bf3a6e26b1aca381ef7a4f
---
 lib/sqlalchemy/sql/_elements_constructors.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/sqlalchemy/sql/_elements_constructors.py b/lib/sqlalchemy/sql/_elements_constructors.py
index 51d8ac3999..bdc0534abe 100644
--- a/lib/sqlalchemy/sql/_elements_constructors.py
+++ b/lib/sqlalchemy/sql/_elements_constructors.py
@@ -1159,6 +1159,9 @@ def extract(field: str, expr: _ColumnExpressionArgument[Any]) -> Extract:
 
     :param field: The field to extract.
 
+     .. warning:: This field is used as a literal SQL string.
+         **DO NOT PASS UNTRUSTED INPUT TO THIS STRING**.
+
     :param expr: A column or Python scalar expression serving as the
       right side of the ``EXTRACT`` expression.
 
-- 
2.47.2