Emphasize alternatives to literal() in the query builder

Description

I see a lot of people using literal in the query builder:

That's a terrible approach: it's basically the same as concatenating values in your query, and therefore vulnerable to injection attacks. => actually no, strings are quoted

I suspect people do that in methods that rebuild the query every time, which is inefficient.

  • add a section in the main query builder manual page, to explain better alternatives: build with bind markers and provide the values separately, or prepare

  • add a warning in the literal() javadocs

Environment

None

Pull Requests

None

Status

Assignee

Olivier Michallat

Reporter

Olivier Michallat

Labels

None

PM Priority

None

Reproduced in

None

External issue ID

None

External issue ID

None

External issue ID

None

External issue ID

None

External issue ID

None

External issue ID

None

Doc Impact

None

Reviewer

None

Size

None

Fix versions

Priority

Minor
Configure