From 601ceddf79073c3b089a5e8d68bbb5dc6b207663 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Tue, 23 Mar 2021 16:03:23 -0700 Subject: [PATCH] [3.2.x] Doc'd that RawSQL can be used with __in. Backport of e53159747c53ca8db6c338998493fd8697d38fac from main --- docs/ref/models/expressions.txt | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/ref/models/expressions.txt b/docs/ref/models/expressions.txt index 06d98876584..9ab502d2440 100644 --- a/docs/ref/models/expressions.txt +++ b/docs/ref/models/expressions.txt @@ -699,12 +699,16 @@ Sometimes database expressions can't easily express a complex ``WHERE`` clause. In these edge cases, use the ``RawSQL`` expression. For example:: >>> from django.db.models.expressions import RawSQL - >>> queryset.annotate(val=RawSQL("select col from sometable where othercol = %s", (someparam,))) + >>> queryset.annotate(val=RawSQL("select col from sometable where othercol = %s", (param,))) These extra lookups may not be portable to different database engines (because you're explicitly writing SQL code) and violate the DRY principle, so you should avoid them if possible. +``RawSQL`` expressions can also be used as the target of ``__in`` filters:: + + >>> queryset.filter(id__in=RawSQL("select id from sometable where col = %s", (param,))) + .. warning:: To protect against `SQL injection attacks