[ci skip] Add a note about QB escaping field names

1 files changed, 8 insertions, 4 deletions

diff --git a/user_guide_src/source/database/queries.rst b/user_guide_src/source/database/queries.rst
index 11dd78392..5d168c275 100644
--- a/user_guide_src/source/database/queries.rst
+++ b/user_guide_src/source/database/queries.rst
@@ -19,7 +19,7 @@ this::
 	$query = $this->db->query('YOUR QUERY HERE');
 
 $this->db->simple_query();
-===========================
+==========================
 
 This is a simplified version of the $this->db->query() method. It DOES
 NOT return a database result set, nor does it set the query timer, or
@@ -43,9 +43,9 @@ fetchable results.
 		echo "Query failed!";
 	}
 
-.. note:: PostgreSQL's pg_exec() function always returns a resource on
-	success, even for write type queries. So take that in mind if
-	you're looking for a boolean value.
+.. note:: PostgreSQL's ``pg_exec()`` function (for example) always
+	returns a resource on success, even for write type queries.
+	So take that in mind if you're looking for a boolean value.
 
 ***************************************
 Working with Database prefixes manually
@@ -76,6 +76,10 @@ identifier you can use::
 
 	$this->db->protect_identifiers('table_name');
 
+.. important:: Although the Query Builder will try its best to properly
+	quote any field and table names that you feed it, note that it
+	is NOT designed to work with arbitrary user input. DO NOT feed it
+	with unsanitized user data.
 
 This function will also add a table prefix to your table, assuming you
 have a prefix specified in your database config file. To enable the