Fixed #12409 -- Corrected some documentation typos in the docs on raw querysets. Also added a missing __init__.py file. Thanks to Alex Gaynor for the reports.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11924 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2009-12-21 01:53:39 +00:00
parent c804179126
commit 79d6e402e3
2 changed files with 2 additions and 2 deletions

View File

@ -154,13 +154,13 @@ parameters from the ``params`` list.
It's tempting to write the above query as:: It's tempting to write the above query as::
>>> query = 'SELECT * FROM myapp_person WHERE last_name = %s', % lname >>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname
>>> Person.objects.raw(query) >>> Person.objects.raw(query)
**Don't.** **Don't.**
Using the ``params`` list completely protects you from `SQL injection Using the ``params`` list completely protects you from `SQL injection
attacks`__`, a common exploit where attackers inject arbitrary SQL into attacks`__, a common exploit where attackers inject arbitrary SQL into
your database. If you use string interpolation, sooner or later you'll your database. If you use string interpolation, sooner or later you'll
fall victim to SQL injection. As long as you remember to always use the fall victim to SQL injection. As long as you remember to always use the
``params`` list you'll be protected. ``params`` list you'll be protected.

View File