From 8c833f4c096a1fa9187c599943159eacb3f7133a Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 14 May 2014 13:32:34 +0300
Subject: [ci skip] Add a note about QB escaping field names

---
 user_guide_src/source/database/queries.rst | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'user_guide_src')

diff --git a/user_guide_src/source/database/queries.rst b/user_guide_src/source/database/queries.rst
index 11dd78392..5d168c275 100644
--- a/user_guide_src/source/database/queries.rst
+++ b/user_guide_src/source/database/queries.rst
@@ -19,7 +19,7 @@ this::
 	$query = $this->db->query('YOUR QUERY HERE');
 
 $this->db->simple_query();
-===========================
+==========================
 
 This is a simplified version of the $this->db->query() method. It DOES
 NOT return a database result set, nor does it set the query timer, or
@@ -43,9 +43,9 @@ fetchable results.
 		echo "Query failed!";
 	}
 
-.. note:: PostgreSQL's pg_exec() function always returns a resource on
-	success, even for write type queries. So take that in mind if
-	you're looking for a boolean value.
+.. note:: PostgreSQL's ``pg_exec()`` function (for example) always
+	returns a resource on success, even for write type queries.
+	So take that in mind if you're looking for a boolean value.
 
 ***************************************
 Working with Database prefixes manually
@@ -76,6 +76,10 @@ identifier you can use::
 
 	$this->db->protect_identifiers('table_name');
 
+.. important:: Although the Query Builder will try its best to properly
+	quote any field and table names that you feed it, note that it
+	is NOT designed to work with arbitrary user input. DO NOT feed it
+	with unsanitized user data.
 
 This function will also add a table prefix to your table, assuming you
 have a prefix specified in your database config file. To enable the
-- 
cgit v1.2.3-24-g4f1b