[][src]Macro concatsql::prep

macro_rules! prep {
    () => { ... };
    ($query:expr) => { ... };
}

Prepare a SQL statement for execution.

Examples

use concatsql::prep;
for name in ["Alice", "Bob"].iter() {
    let stmt = prep!("INSERT INTO users (name) VALUES (") + name + prep!(")");
    conn.execute(stmt).unwrap();
}

Failure

If you take a value other than &'static str as an argument, it will fail.

This example deliberately fails to compile
let passwd = String::from("'' or 1=1; --");
prep!("SELECT * FROM users WHERE passwd=") + prep!(&passwd); // shouldn't compile!

Panics

SQL injection successful if you have incomplete single or double quotes.
Panic when debug builds and display warning messages when release builds.

This example panics
prep!("SELECT * FROM users WHERE id='") + id + prep!("'");
prep!("INSERT INTO msg VALUES ('I'm cat.')");
assert_eq!((prep!("WHERE passwd='") + " or 1=1; --" + prep!("'")).actual_sql(), "WHERE passwd='' or 1=1; --''"); // When release builds

Safety

prep!("SELECT * FROM users WHERE id=") + id;
prep!("INSERT INTO msg VALUES ('I''m cat.')");
prep!("INSERT INTO msg VALUES (\"I'm cat.\")");