[1.10.x] Fixed #26899 -- Documented why RawSQL params is a required parameter.

Backport of 7bf3ba0d0c700670d13d7683eec7bd3eb3d4dd1f from master
2025-03-13 02:40:47 +00:00 · 2016-07-21 15:28:31 +01:00 · 2016-07-21 15:28:31 +01:00 · 5cc6190788
commit 5cc6190788
parent c8d166241f
1 changed files with 3 additions and 1 deletions
--- a/docs/ref/models/expressions.txt
+++ b/docs/ref/models/expressions.txt
@ -463,7 +463,9 @@ should avoid them if possible.

    You should be very careful to escape any parameters that the user can
    control by using ``params`` in order to protect against :ref:`SQL injection
-    attacks <sql-injection-protection>`.
+    attacks <sql-injection-protection>`. ``params`` is a required argument to
+    force you to acknowledge that you're not interpolating your SQL with user
+    provided data.

 .. currentmodule:: django.db.models