Author: russellm
Date: 2009-12-20 19:53:39 -0600 (Sun, 20 Dec 2009)
New Revision: 11924
Added:
django/trunk/tests/modeltests/raw_query/__init__.py
Modified:
django/trunk/docs/topics/db/sql.txt
Log:
Fixed #12409 -- Corrected some documentation typos in the docs on raw
querysets. Also added a missing __init__.py file. Thanks to Alex Gaynor for the
reports.
Modified: django/trunk/docs/topics/db/sql.txt
===================================================================
--- django/trunk/docs/topics/db/sql.txt 2009-12-20 22:46:35 UTC (rev 11923)
+++ django/trunk/docs/topics/db/sql.txt 2009-12-21 01:53:39 UTC (rev 11924)
@@ -154,13 +154,13 @@
It's tempting to write the above query as::
- >>> query = 'SELECT * FROM myapp_person WHERE last_name = %s', % lname
+ >>> query = 'SELECT * FROM myapp_person WHERE last_name = %s' % lname
>>> Person.objects.raw(query)
**Don't.**
Using the ``params`` list completely protects you from `SQL injection
- attacks`__`, a common exploit where attackers inject arbitrary SQL into
+ attacks`__, a common exploit where attackers inject arbitrary SQL into
your database. If you use string interpolation, sooner or later you'll
fall victim to SQL injection. As long as you remember to always use the
``params`` list you'll be protected.
Added: django/trunk/tests/modeltests/raw_query/__init__.py
===================================================================
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
