From 84391763a8d5911c387c9965c86c8d45f39b31fb Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Tue, 25 Jan 2022 10:39:03 -0800 Subject: [PATCH] Clarify that magic parameters don't work for custom SQL --- docs/sql_queries.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/sql_queries.rst b/docs/sql_queries.rst index f9a36490..010e3205 100644 --- a/docs/sql_queries.rst +++ b/docs/sql_queries.rst @@ -275,6 +275,8 @@ Magic parameters Named parameters that start with an underscore are special: they can be used to automatically add values created by Datasette that are not contained in the incoming form fields or query string. +These magic parameters are only supported for canned queries: to avoid security issues (such as queries that extract the user's private cookies) they are not available to SQL that is executed by the user as a custom SQL query. + Available magic parameters are: ``_actor_*`` - e.g. ``_actor_id``, ``_actor_name``