search

belchior / sql_query_builder

Write SQL queries in a simple and composable way
https://crates.io/crates/sql_query_builder
MIT License
54 stars 5 forks source link

Sanitize input #24

Closed eirnym closed 2 months ago

eirnym commented 2 months ago

all tables and columns are to be sanitized.

Example following code:

    let select = sql::Select::new()
    .select("id, login")
    .from("us e \"rs")
    .where_clause("login = $1").as_string();

    println!("{select}");

which has invalid output:

SELECT id, login FROM us e "rs WHERE login = $1
belchior commented 2 months ago

Is recommended to use the driver layer to sanitize the SQL text before execute. In this issue has an example using tokio-postgres.

Optionally you can use the debug method to help catch this type of issue

eirnym commented 2 months ago

thank you for a suggestion, but this is not an option in case of tables. Thus, I don't see it as a duplicate. Additionally, drivers doesn't provide any way to this sanitisation, as there's impossible to insert parameters in FROM section.

FYI: table name may contain any kind of symbols and usually quoted with database-specific quotes separately.

belchior commented 2 months ago

In my first comment I thought you try to report a SQL injection, thus I added the duplicate tag.

The lib has no syntax parser to validate the final output so if it changes the input of the user has no guarantee that the transformation will result in a valid syntax.

As said in the main documentation the library don't try to understand what you type inside the parameters, this make possible to write more idiomatic SQL queries but the down side is that it not detect typos or invalid SQL syntax, to minimize this annoying problem you can use the debug method.

eirnym commented 2 months ago

It would be nice if sanitisation options will be provided by the library.