sql injection not panic when cargo check #2993

y-pull · 2024-01-16T08:41:20Z

i wanna validate whether the sqlx can defend sql injection,and i wrote this below

then cargo check keeps circling and i check all my code again and again in many hours till i delete the code below

i think may sqlx throw an error or panic is the better way to tell coder to write like that is incorrect

thanks,sqlx is a good tool and i love it

let arg = " id ; SELECT 1 -- ";
sqlx::query!("SELECT * FROM `test` ORDER BY ?", arg).fetch_all(&dbpool).await;

SQLx version: 0.7.3
SQLx features enabled: ["runtime-tokio", "mysql", "macros", "time", "rust_decimal", "json"]
Database server and version: Mysql
Operating system: almalinux 9.3
rustc --version: 1.75.0

The text was updated successfully, but these errors were encountered:

abonander · 2024-01-17T02:09:05Z

SQL injection is a non-issue in this case because query parameters explicitly prevent it. arg is received as a separate string by the database server and is not parsed as SQL. See the FAQ answer I just wrote: https://github.com/launchbadge/sqlx/pull/2997/files?short_path=c7bd425#diff-c7bd425fd98aad1f9fef20099637bcbdcfadeb566ba1f83bb40ce484f195b8cf

y-pull · 2024-01-18T08:29:17Z

thanks, really helpful

y-pull added the bug label Jan 16, 2024

abonander mentioned this issue Jan 17, 2024

doc(FAQ): add entry explaining prepared statements #2997

Merged

abonander closed this as not planned Won't fix, can't repro, duplicate, stale Jan 17, 2024

Provide feedback