[1.6.x] Fixed #22493 - Added warnings to raw() and extra() docs about SQL injection

``QuerySet`` modifier — a hook for injecting specific clauses into the SQL

generated by a ``QuerySet``.

.. warning::

    You should be very careful whenever you use ``extra()``. Every time you use

    it, you should escape any parameters that the user can control by using

    ``params`` in order to protect against SQL injection attacks . Please

    read more about :ref:`SQL injection protection <sql-injection-protection>`.

By definition, these extra lookups may not be portable to different database

engines (because you're explicitly writing SQL code) and violate the DRY

principle, so you should avoid them if possible.

__ `performing raw queries`_

__ `executing custom SQL directly`_

.. warning::

    You should be very careful whenever you write raw SQL. Every time you use

    it, you should properly escape any parameters that the user can control

    by using ``params`` in order to protect against SQL injection attacks.

    Please read more about :ref:`SQL injection protection

    <sql-injection-protection>`.

.. _executing-raw-queries:

Performing raw queries

Be very careful with marking views with the ``csrf_exempt`` decorator unless

it is absolutely necessary.

.. _sql-injection-protection:

SQL injection protection

========================