[1.6.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe from master

docs/ref/models/querysets.txt

@@ -975,6 +975,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
 ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
 generated by a ``QuerySet``.
 
+.. warning::
+
+    You should be very careful whenever you use ``extra()``. Every time you use
+    it, you should escape any parameters that the user can control by using
+    ``params`` in order to protect against SQL injection attacks . Please
+    read more about :ref:`SQL injection protection <sql-injection-protection>`.
+
 By definition, these extra lookups may not be portable to different database
 engines (because you're explicitly writing SQL code) and violate the DRY
 principle, so you should avoid them if possible.

docs/topics/db/sql.txt

@@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and
 __ `performing raw queries`_
 __ `executing custom SQL directly`_
 
+.. warning::
+
+    You should be very careful whenever you write raw SQL. Every time you use
+    it, you should properly escape any parameters that the user can control
+    by using ``params`` in order to protect against SQL injection attacks.
+    Please read more about :ref:`SQL injection protection
+    <sql-injection-protection>`.
+
 .. _executing-raw-queries:
 
 Performing raw queries

docs/topics/security.txt

@@ -79,6 +79,7 @@ HSTS for supported browsers.
 Be very careful with marking views with the ``csrf_exempt`` decorator unless
 it is absolutely necessary.
 
+.. _sql-injection-protection:
 
 SQL injection protection
 ========================