diff --git a/docs/topics/db/sql.txt b/docs/topics/db/sql.txt index 57834eb98a..45aa4f950e 100644 --- a/docs/topics/db/sql.txt +++ b/docs/topics/db/sql.txt @@ -154,13 +154,13 @@ parameters from the ``params`` list. It's tempting to write the above query as:: - >>> query = 'SELECT * FROM myapp_person WHERE last_name = %s', % lname + >>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname >>> Person.objects.raw(query) **Don't.** Using the ``params`` list completely protects you from `SQL injection - attacks`__`, a common exploit where attackers inject arbitrary SQL into + attacks`__, a common exploit where attackers inject arbitrary SQL into your database. If you use string interpolation, sooner or later you'll fall victim to SQL injection. As long as you remember to always use the ``params`` list you'll be protected. diff --git a/tests/modeltests/raw_query/__init__.py b/tests/modeltests/raw_query/__init__.py new file mode 100644 index 0000000000..e69de29bb2