From 0c7771b7d91bf4c62eb8d4710a763d749ccd018f Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Mon, 5 Aug 2024 15:46:13 +0200
Subject: [PATCH] Update README

---
 README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README.md b/README.md
index 4f148e8f..83bc5364 100644
--- a/README.md
+++ b/README.md
@@ -286,3 +286,19 @@ class Floor extends FunctionNode implements TypedExpression
 }
 
 ```
+
+## Literal strings
+
+Stub files in phpstan-doctrine come with many parameters marked with `literal-string`. This is a security-focused type that only allows literal strings written in code to be passed into these parameters.
+
+This reduces risk of SQL injection because dynamic strings from user input are not accepted in place of `literal-string`.
+
+An example where this type is used is `$sql` parameter in `Doctrine\Dbal\Connection::executeQuery()`.
+
+To enable this advanced type in phpstan-doctrine, use this configuration parameter:
+
+```neon
+parameters:
+	doctrine:
+		literalString: true
+```