[−][src]Function concatsql::without_escape
pub unsafe fn without_escape<T: ?Sized + ToString>(query: &T) -> WrapString<'_>
Does not escape.
Don't use if the value entered is unreliable (e.g. entered by user).
Danger
let age = String::from("42 or 1=1; --"); // input by attcker let sql = prep!("SELECT name FROM users WHERE age < ") + unsafe { without_escape(&age) }; assert_eq!(sql.simulate(), "SELECT name FROM users WHERE age < 42 or 1=1; --"); assert!(conn.rows(&sql).is_ok());
Safety
- Use trusted values
- Use in an environment where SQL injection does not occur