Closed eirnym closed 2 months ago
Is recommended to use the driver layer to sanitize the SQL text before execute. In this issue has an example using tokio-postgres.
Optionally you can use the debug method to help catch this type of issue
thank you for a suggestion, but this is not an option in case of tables. Thus, I don't see it as a duplicate. Additionally, drivers doesn't provide any way to this sanitisation, as there's impossible to insert parameters in FROM
section.
FYI: table name may contain any kind of symbols and usually quoted with database-specific quotes separately.
In my first comment I thought you try to report a SQL injection, thus I added the duplicate tag.
The lib has no syntax parser to validate the final output so if it changes the input of the user has no guarantee that the transformation will result in a valid syntax.
As said in the main documentation the library don't try to understand what you type inside the parameters, this make possible to write more idiomatic SQL queries but the down side is that it not detect typos or invalid SQL syntax, to minimize this annoying problem you can use the debug method.
It would be nice if sanitisation options will be provided by the library.
all tables and columns are to be sanitized.
Example following code:
which has invalid output: