Closed brandonros closed 1 year ago
The SQL injection is beyond the scope of the library but you can mitigate this vulnerability using placeholders like login = $1
.
The example above uses tokio_postgres to prevent agaisnt SQL injection.
use tokio_postgres::{Client, Error, types::ToSql, Row};
use sql_query_builder as sql;
type QueryParam<'a> = &'a (dyn ToSql + Sync);
pub async fn get_user(client: &Client, user_login: &str) -> Result<Vec<Row>, Error> {
let params: Vec<QueryParam> = vec![user_login];
let query = sql::Select::new()
.select("id, login")
.from("users")
.where_clause("login = $1")
.to_string();
let rows = client.query(query.as_str(), ¶ms[..]).await?;
Ok(rows)
}
By only having
as_string()
isn't this library vulnerable to SQL injection?