ConcatSQL
ConcatSQL(concatsql
) is a secure SQL database library.
You can use string concatenation to prevent SQL injection.
Supported databases:
You can configure the database backend in Cargo.toml
:
[]
= { = "<version>", = ["<postgres|mysql|sqlite>"] }
Examples
Normal value
let id = String from; // User supplied input
let passwd = String from; // User supplied input
let sql = prep! + &id + prep! + &passwd;
assert_eq!;
for row in conn.rows.unwrap
Illegal value
let id = String from; // User supplied input
let passwd = String from; // User supplied input
let sql = prep! + &id + prep! + &passwd;
assert_eq!;
for row in conn.rows.unwrap
If you did not use the prep
macro
Cannot compile ... secure!
let id = String from;
let passwd = String from;
let sql = "SELECT name FROM users WHERE id=".to_string + &id + " AND passwd='" + &passwd + "';";
conn.execute.unwrap; // error
When using prep!(<String>)
Cannot compile ... secure!
let age = String from;
let sql = prep! + prep!; // error
Why can this library prevent SQL injection?
This is because it is achieved using Operator Overloading rather than simple string concatenation.
The prep
macro returns the library's own type(WrapString
).
For example, if you combine this WrapString
type with a String
type, the escaped String
type will be combined and a new WrapString
will be returned.
let foobar: WrapString = prep! + String from;
Is it impossible to implement in other languages?
It seems that it can be implemented in other languages as long as it supports operator overloading.
However, if the developer writes the following, the input from the attacker will not be escaped correctly and the attack will be successful.
That is, it can be implemented in any language that can distinguish between hard-coding(&'static str
) and user input(String
) at compile time.
License
MIT