From ae1535606145df9c858d4c5a5a2d9a9cff9f3992 Mon Sep 17 00:00:00 2001
From: Moayad Mardini <moayad.m@gmail.com>
Date: Thu, 24 Apr 2014 21:10:03 +0300
Subject: [PATCH] [1.7.x] Fixed #22493 - Added warnings to raw() and extra()
 docs about SQL injection

Thanks Erik Romijn for the suggestion.

Backport of 3776926cfe from master
---
 docs/ref/models/querysets.txt | 9 ++++++++-
 docs/topics/db/sql.txt        | 8 ++++++++
 docs/topics/security.txt      | 1 +
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt
index 0f9ef88c25..84577d40fa 100644
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -1046,6 +1046,13 @@ Sometimes, the Django query syntax by itself can't easily express a complex
 ``QuerySet`` modifier — a hook for injecting specific clauses into the SQL
 generated by a ``QuerySet``.
 
+.. warning::
+
+    You should be very careful whenever you use ``extra()``. Every time you use
+    it, you should escape any parameters that the user can control by using
+    ``params`` in order to protect against SQL injection attacks . Please
+    read more about :ref:`SQL injection protection <sql-injection-protection>`.
+
 By definition, these extra lookups may not be portable to different database
 engines (because you're explicitly writing SQL code) and violate the DRY
 principle, so you should avoid them if possible.
@@ -1415,7 +1422,7 @@ Takes a raw SQL query, executes it, and returns a
 ``django.db.models.query.RawQuerySet`` instance. This ``RawQuerySet`` instance
 can be iterated over just like an normal ``QuerySet`` to provide object instances.
 
-See the :ref:`executing-raw-queries` for more information.
+See the :doc:`/topics/db/sql` for more information.
 
 .. warning::
 
diff --git a/docs/topics/db/sql.txt b/docs/topics/db/sql.txt
index 72ded4cbdb..fc10b0e4a9 100644
--- a/docs/topics/db/sql.txt
+++ b/docs/topics/db/sql.txt
@@ -13,6 +13,14 @@ return model instances`__, or you can avoid the model layer entirely and
 __ `performing raw queries`_
 __ `executing custom SQL directly`_
 
+.. warning::
+
+    You should be very careful whenever you write raw SQL. Every time you use
+    it, you should properly escape any parameters that the user can control
+    by using ``params`` in order to protect against SQL injection attacks.
+    Please read more about :ref:`SQL injection protection
+    <sql-injection-protection>`.
+
 .. _executing-raw-queries:
 
 Performing raw queries
diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index 1ae5ddf78e..5fd62eb694 100644
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -79,6 +79,7 @@ HSTS for supported browsers.
 Be very careful with marking views with the ``csrf_exempt`` decorator unless
 it is absolutely necessary.
 
+.. _sql-injection-protection:
 
 SQL injection protection
 ========================