[−][src]Macro concatsql::prep
Prepare a SQL statement for execution.
Examples
use concatsql::prep; for name in ["Alice", "Bob"].iter() { let stmt = prep!("INSERT INTO users (name) VALUES (") + name + prep!(")"); conn.execute(stmt).unwrap(); }
Failure
If you take a value other than &'static str
as an argument, it will fail.
ⓘThis example deliberately fails to compile
let passwd = String::from("'' or 1=1; --"); prep!("SELECT * FROM users WHERE passwd=") + prep!(&passwd); // shouldn't compile!
Panics
SQL injection successful if you have incomplete single or double quotes.
Panic when debug builds and display warning messages when release builds.
ⓘThis example panics
prep!("SELECT * FROM users WHERE id='") + id + prep!("'"); prep!("INSERT INTO msg VALUES ('I'm cat.')"); assert_eq!((prep!("WHERE passwd='") + " or 1=1; --" + prep!("'")).actual_sql(), "WHERE passwd='' or 1=1; --''"); // When release builds
Safety
prep!("SELECT * FROM users WHERE id=") + id; prep!("INSERT INTO msg VALUES ('I''m cat.')"); prep!("INSERT INTO msg VALUES (\"I'm cat.\")");