diff options
author | Mike Bayer <mike_mp@zzzcomputing.com> | 2021-12-06 12:41:36 -0500 |
---|---|---|
committer | Mike Bayer <mike_mp@zzzcomputing.com> | 2021-12-06 12:41:36 -0500 |
commit | 973b6ccbf1f81d2357d310ed44717fe37df96ac6 (patch) | |
tree | a9f95c835bae4d358417d160bd438fbb3422e10d | |
parent | cf95ea2eee2d99051e24b529a8b39ff3f1a494cb (diff) | |
download | sqlalchemy-973b6ccbf1f81d2357d310ed44717fe37df96ac6.tar.gz |
qualify the stringification warning
the recipe which uses render_postcompile itself is
not insecure as it still renders bound parameters
and does not stringify any literal values.
Change-Id: Ib5ac2f7ce37dc1415a67b117a9c31c0ee37270b3
-rw-r--r-- | doc/build/faq/sqlexpressions.rst | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/doc/build/faq/sqlexpressions.rst b/doc/build/faq/sqlexpressions.rst index cc629f4cc..5dcf3e96a 100644 --- a/doc/build/faq/sqlexpressions.rst +++ b/doc/build/faq/sqlexpressions.rst @@ -338,7 +338,9 @@ in the same way, such as SQLite's positional form:: .. warning:: - Remember, all of the above code recipes are **only to be used when**: + Remember, **all** of the above code recipes which stringify literal + values, bypassing the use of bound parameters when sending statements + to the database, are **only to be used when**: 1. the use is **debugging purposes only** @@ -346,7 +348,7 @@ in the same way, such as SQLite's positional form:: 3. only with **local, trusted input** - The above recipes for stringification of parameters are **not secure in + The above recipes for stringification of literal values are **not secure in any way and should never be used against production databases**. .. _faq_sql_expression_percent_signs: |