From b4b2f42f48684fbb4c2d56f4f83d01b2be421a39 Mon Sep 17 00:00:00 2001
From: Ron DuPlain <ron.duplain@gmail.com>
Date: Fri, 16 Jul 2010 01:18:20 +0800
Subject: [PATCH] Warn about SQL injection in the tutorial.

---
 docs/tutorial/views.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/tutorial/views.rst b/docs/tutorial/views.rst
index 0bce03a3..f2871257 100644
--- a/docs/tutorial/views.rst
+++ b/docs/tutorial/views.rst
@@ -48,6 +48,13 @@ redirect back to the `show_entries` page::
 Note that we check that the user is logged in here (the `logged_in` key is
 present in the session and `True`).
 
+.. admonition:: Security Note
+
+   Be sure to use question marks when building SQL statements, as done in the
+   example above.  Otherwise, your app will be vulnerable to SQL injection when
+   you use string formatting to build SQL statements.
+   See :ref:`sqlite3` for more.
+
 Login and Logout
 ----------------