gh-102058: Update descriptor.rst#102059
Conversation
|
All commit authors signed the Contributor License Agreement. |
|
You should use double backticks. |
Added replaced * with note Co-authored-by: Eclips4 <80244920+Eclips4@users.noreply.github.com>
|
Thanks, but I don't think this full paragraph warning is necessary. In this ORM example, the attribute names and owners come from the class definition, and are not program inputs (which is where the risk of SQL injection would come from). The warning is unrelated to descriptors, so IMO this mostly just serves as a distraction. Descriptors are a relatively advanced concept; I think we can trust our readers here to determine for themselves when SQL injection is a risk. |
|
I agree, @hauntsaninja. Also, the interpolated values are used in places where SQLite placeholders are not applicable; for example, you cannot use placeholders to chose which table you want to query. If there is one enhancement we could do here, it might be to link to the @Eclips4: please see the devguide for our review practices. |
|
Thanks @erlend-aasland & @hauntsaninja for answer! In this example we inventionally didn't use placeholders (see :ref:`sqlite3-placeholders` for more details). |
|
in fact, we did:) @Eclips4 |
|
@erlend-aasland As I said, if you use string formatting, you should check if data in a string is correct (i'd say I propose to write: see :ref:`sqlite3-placehoders` for more information about use of placeholders in sqlite3If we're ok with that, i'll commit the changes. |
|
As the other commenters noted, this editorializing is a distractor from showing how descriptors work. Also, there is no placeholder solution to choosing the table name. Thanks for the suggestion, but I am going to decline this PR. |
6 participants
Fixes #102058