diff --git a/README.md b/README.md
index 5b41d7ea..07cc9856 100644
--- a/README.md
+++ b/README.md
@@ -146,11 +146,10 @@ You could help continuing its development by:
 - [Suggest new features and report issues](https://github.com/pocketbase/pocketbase/issues)
 - [Donate a small amount](https://pocketbase.io/support-us)
 
-PRs for _small features_ (eg. adding new OAuth2 providers), bug fixes, code and documentation improvements are more than welcome.
+PRs for new OAuth2 providers, bug fixes, code optimizations and documentation improvements are more than welcome.
 
-But please refrain creating PRs for _new features_ without previously discussing the implementation details. Reviewing big PRs often requires a lot of time and tedious back-and-forth communication.
-PocketBase has a [roadmap](https://github.com/orgs/pocketbase/projects/2)
-and I try to work on issues in a specific order and such PRs often come in out of nowhere and skew all initial planning.
+But please refrain creating PRs for _new features_ without previously discussing the implementation details.
+PocketBase has a [roadmap](https://github.com/orgs/pocketbase/projects/2) and I try to work on issues in specific order and such PRs often come in out of nowhere and skew all initial planning with tedious back-and-forth communication.
 
 Don't get upset if I close your PR, even if it is well executed and tested. This doesn't mean that it will never be merged.
 Later we can always refer to it and/or take pieces of your implementation when the time comes to work on the issue (don't worry you'll be credited in the release notes).
diff --git a/daos/record.go b/daos/record.go
index c94a7d54..8013ec0d 100644
--- a/daos/record.go
+++ b/daos/record.go
@@ -230,6 +230,9 @@ func (dao *Dao) FindFirstRecordByData(
 // If the limit argument is <= 0, no limit is applied to the query and
 // all matching records are returned.
 //
+// NB Don't put untrusted user input in the filter string as it
+// practically would allow the users to inject their own custom filter.
+//
 // Example:
 //
 //	dao.FindRecordsByFilter("posts", "title ~ 'lorem ipsum' && visible = true", "-created", 10)
@@ -291,6 +294,9 @@ func (dao *Dao) FindRecordsByFilter(
 
 // FindFirstRecordByFilter returns the first available record matching the provided filter.
 //
+// NB Don't put untrusted user input in the filter string as it
+// practically would allow the users to inject their own custom filter.
+//
 // Example:
 //
 //	dao.FindFirstRecordByFilter("posts", "slug='test'")