qualify the stringification warning

the recipe which uses render_postcompile itself is
not insecure as it still renders bound parameters
and does not stringify any literal values.

Change-Id: Ib5ac2f7ce37dc1415a67b117a9c31c0ee37270b3
(cherry picked from commit 973b6ccbf1f81d2357d310ed44717fe37df96ac6)

1 files changed, 4 insertions, 2 deletions

diff --git a/doc/build/faq/sqlexpressions.rst b/doc/build/faq/sqlexpressions.rst
index cc629f4cc..5dcf3e96a 100644
--- a/doc/build/faq/sqlexpressions.rst
+++ b/doc/build/faq/sqlexpressions.rst
@@ -338,7 +338,9 @@ in the same way, such as SQLite's positional form::
 
 .. warning::
 
-    Remember, all of the above code recipes are **only to be used when**:
+    Remember, **all** of the above code recipes which stringify literal
+    values, bypassing the use of bound parameters when sending statements
+    to the database, are **only to be used when**:
 
     1. the use is **debugging purposes only**
 
@@ -346,7 +348,7 @@ in the same way, such as SQLite's positional form::
 
     3. only with **local, trusted input**
 
-    The above recipes for stringification of parameters are **not secure in
+    The above recipes for stringification of literal values are **not secure in
     any way and should never be used against production databases**.
 
 .. _faq_sql_expression_percent_signs: