Filtering arguments in update where clause for SQL injection protection

[dieseldjango]

The update method conveniently builds the SQL for an update statement, but for the 'where' clause it simply takes in a string of SQL. If I pass in a value in the where clause that came from somewhere possibly untrusted, it looks like I'd be introducing a vector for a SQL injection attack. It would be nice if the method exposed a way to pass in a parameterized clause so values could be safely handled.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.