Documentation for raw() and extra() should warn about SQL injection
|Reported by:||Erik Romijn||Owned by:||mardini|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Using the raw() and extra() methods can result in SQL injection vulnerabilities, if not used carefully. However, the documentation does not mention this. The Security in Django document does include a warning regarding raw() and extra(), but I think a SQL injection is potentially so severe that we should also note this in the documentation for raw() and extra() itself.