From a0ae664ae0a66bec36571208b3acd3868619de68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=A0ar=C5=ABnas=20Nejus?= Date: Thu, 7 Aug 2025 16:46:14 +0100 Subject: [PATCH] Add a note about SQL injection --- CONTRIBUTING.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 11dac07d8..031e8fbc5 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -242,12 +242,12 @@ There are a few coding conventions we use in beets: To fetch Item objects from the database, use lib.items(…) and supply a query as an argument. Resist the urge to write raw SQL for your query. If you must - use lower-level queries into the database, do this: + use lower-level queries into the database, do this, for example: .. code-block:: python with lib.transaction() as tx: - rows = tx.query("SELECT …") + rows = tx.query("SELECT path FROM items WHERE album_id = ?", (album_id,)) Transaction objects help control concurrent access to the database and assist in debugging conflicting accesses.