DOC: Add docs for read_sql to avoid sql injection (#56546)

* add docs for read_sql to avoid sql injection

* resolve formatting

* re-word the docs

* formatting

* refactor the example due to the length constraints

* remove reference directing users to use params

* changed to the general warning

* add the example for using params

---------

Co-authored-by: Hanxin Chen <[email protected]>

Author: erichxchen

pandas/io/sql.py

@@ -652,6 +652,14 @@ def read_sql(
     read_sql_table : Read SQL database table into a DataFrame.
     read_sql_query : Read SQL query into a DataFrame.
 
+    Notes
+    -----
+    ``pandas`` does not attempt to sanitize SQL statements;
+    instead it simply forwards the statement you are executing
+    to the underlying driver, which may or may not sanitize from there.
+    Please refer to the underlying driver documentation for any details.
+    Generally, be wary when accepting statements from arbitrary sources.
+
     Examples
     --------
     Read data from SQL via either a SQL query or a SQL tablename.
@@ -672,6 +680,14 @@ def read_sql(
 
     >>> pd.read_sql('test_data', 'postgres:///db_name')  # doctest:+SKIP
 
+    For parameterized query, using ``params`` is recommended over string interpolation.
+
+    >>> from sqlalchemy import text
+    >>> sql = text('SELECT int_column, date_column FROM test_data WHERE int_column=:int_val')
+    >>> pd.read_sql(sql, conn, params={'int_val': 1})  # doctest:+SKIP
+       int_column date_column
+    0           1    12/11/10
+
     Apply date parsing to columns through the ``parse_dates`` argument
     The ``parse_dates`` argument calls ``pd.to_datetime`` on the provided columns.
     Custom argument values for applying ``pd.to_datetime`` on a column are specified
@@ -694,7 +710,7 @@ def read_sql(
        int_column
     0           0
     1           1
-    """
+    """  # noqa: E501
 
     check_dtype_backend(dtype_backend)
     if dtype_backend is lib.no_default: