Warn about SQL injection in the tutorial.

2010-07-16 01:18:20 +08:00 · 2010-07-16 01:18:20 +08:00 · b4b2f42f48
commit b4b2f42f48
parent 82b143f972
1 changed files with 7 additions and 0 deletions
--- a/docs/tutorial/views.rst
+++ b/docs/tutorial/views.rst
@ -48,6 +48,13 @@ redirect back to the `show_entries` page::
 Note that we check that the user is logged in here (the `logged_in` key is
 present in the session and `True`).

+.. admonition:: Security Note
+
+   Be sure to use question marks when building SQL statements, as done in the
+   example above.  Otherwise, your app will be vulnerable to SQL injection when
+   you use string formatting to build SQL statements.
+   See :ref:`sqlite3` for more.
+
 Login and Logout
 ----------------