Fixed #12409 -- Corrected some documentation typos in the docs on raw querysets. Also added a missing __init__.py file. Thanks to Alex Gaynor for the reports.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@11924 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
c804179126
commit
79d6e402e3
|
@ -154,13 +154,13 @@ parameters from the ``params`` list.
|
||||||
|
|
||||||
It's tempting to write the above query as::
|
It's tempting to write the above query as::
|
||||||
|
|
||||||
>>> query = 'SELECT * FROM myapp_person WHERE last_name = %s', % lname
|
>>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname
|
||||||
>>> Person.objects.raw(query)
|
>>> Person.objects.raw(query)
|
||||||
|
|
||||||
**Don't.**
|
**Don't.**
|
||||||
|
|
||||||
Using the ``params`` list completely protects you from `SQL injection
|
Using the ``params`` list completely protects you from `SQL injection
|
||||||
attacks`__`, a common exploit where attackers inject arbitrary SQL into
|
attacks`__, a common exploit where attackers inject arbitrary SQL into
|
||||||
your database. If you use string interpolation, sooner or later you'll
|
your database. If you use string interpolation, sooner or later you'll
|
||||||
fall victim to SQL injection. As long as you remember to always use the
|
fall victim to SQL injection. As long as you remember to always use the
|
||||||
``params`` list you'll be protected.
|
``params`` list you'll be protected.
|
||||||
|
|
Loading…
Reference in New Issue