qualify the stringification warning

the recipe which uses render_postcompile itself is not insecure as it still renders bound parameters and does not stringify any literal values. Change-Id: Ib5ac2f7ce37dc1415a67b117a9c31c0ee37270b3
author: Mike Bayer <mike_mp@zzzcomputing.com> 2021-12-06 12:41:36 -0500
committer: Mike Bayer <mike_mp@zzzcomputing.com> 2021-12-06 12:41:36 -0500
commit: 973b6ccbf1f81d2357d310ed44717fe37df96ac6 (patch)
tree: a9f95c835bae4d358417d160bd438fbb3422e10d
parent: cf95ea2eee2d99051e24b529a8b39ff3f1a494cb (diff)
download: sqlalchemy-973b6ccbf1f81d2357d310ed44717fe37df96ac6.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/doc/build/faq/sqlexpressions.rst b/doc/build/faq/sqlexpressions.rst
index cc629f4cc..5dcf3e96a 100644
--- a/doc/build/faq/sqlexpressions.rst
+++ b/doc/build/faq/sqlexpressions.rst
@@ -338,7 +338,9 @@ in the same way, such as SQLite's positional form::
 
 .. warning::
 
-    Remember, all of the above code recipes are **only to be used when**:
+    Remember, **all** of the above code recipes which stringify literal
+    values, bypassing the use of bound parameters when sending statements
+    to the database, are **only to be used when**:
 
     1. the use is **debugging purposes only**
 
@@ -346,7 +348,7 @@ in the same way, such as SQLite's positional form::
 
     3. only with **local, trusted input**
 
-    The above recipes for stringification of parameters are **not secure in
+    The above recipes for stringification of literal values are **not secure in
     any way and should never be used against production databases**.
 
 .. _faq_sql_expression_percent_signs:
author	Mike Bayer <mike_mp@zzzcomputing.com>	2021-12-06 12:41:36 -0500
committer	Mike Bayer <mike_mp@zzzcomputing.com>	2021-12-06 12:41:36 -0500
commit	973b6ccbf1f81d2357d310ed44717fe37df96ac6 (patch)
tree	a9f95c835bae4d358417d160bd438fbb3422e10d
parent	cf95ea2eee2d99051e24b529a8b39ff3f1a494cb (diff)
download	sqlalchemy-973b6ccbf1f81d2357d310ed44717fe37df96ac6.tar.gz