search

njord-rs / njord

A versatile, feature-rich Rust ORM ⛵
https://njord.rs
BSD 3-Clause "New" or "Revised" License
409 stars 21 forks source link

Prevent SQL Injection #186

Open chaseWillden opened 3 weeks ago

chaseWillden commented 3 weeks ago

Currently we are doing the format! function to create the SQL statements, this technically would allow for easy SQL injection attacks. This is to provide sanitization of the SQL before execution

mjovanc commented 2 weeks ago

You mean doing something like this below?

fn sanitize_input(input: &str) -> String {
    input
        .replace('\'', "''") // Escape single quotes
        .replace('\\', "\\\\") // Escape backslashes
        .replace('%', "\\%") // Escape LIKE wildcards
        .replace('_', "\\_") // Escape LIKE wildcards
}