Merge pull request #262 from FedericoCeratto/patch-1

Add hint about SQL injections
mymarilyn · Oct 25, 2021 · 72996bf · 72996bf
2 parents 50da302 + fae5c0b
commit 72996bf
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/docs/quickstart.rst b/docs/quickstart.rst
@@ -57,15 +57,18 @@ Of course queries can and should be parameterized to avoid SQL injections:
         [('2018-10-21', 3)]
 
 Percent symbols in inlined constants should be doubled if you mix constants
-with ``%`` symbol and ``%(x)s`` parameters.
+with ``%`` symbol and ``%(myvar)s`` parameters.
 
     .. code-block:: python
 
         >>> client.execute(
-        ...     "SELECT 'test' like '%%es%%', %(x)s",
-        ...     {'x': 1}
+        ...     "SELECT 'test' like '%%es%%', %(myvar)s",
+        ...     {'myvar': 1}
         ... )
 
+NOTE: formatting queries using Python's f-strings or concatenation can lead to SQL injections.
+Use ``%(myvar)s`` parameters instead.
+
 Customisation ``SELECT`` output with ``FORMAT`` clause is not supported.
 
 .. _execute-with-progress: