pub fn is_valid_sql_expression(s: &str) -> boolExpand description
Validate a SQL expression for computed fields.
Computed field expressions are dangerous because they’re inserted directly into SQL. This function performs defense-in-depth validation to catch injection attempts, but cannot provide complete protection.
§Security Model
This validation is a safety net, not a security boundary. It catches:
- Obvious injection patterns (comments, semicolons, SQL keywords)
- Common attack vectors
It cannot catch:
- All possible SQL injection variants
- Database-specific syntax
- Encoded or obfuscated attacks
CRITICAL: Only use computed fields with trusted expressions from code. Never pass user input to computed field expressions, even with validation.
§Valid expressions
- Simple field references:
first_name,price - Arithmetic:
quantity * price - String concatenation:
first_name || ' ' || last_name - Functions:
COALESCE(nickname, name),UPPER(name)
§Invalid expressions (rejected)
- Comments:
--,/*,*/ - Statement terminators:
; - SQL keywords: SELECT, INSERT, UPDATE, DELETE, DROP, etc.
- System functions:
pg_,sqlite_
§Examples
use mik_sql::is_valid_sql_expression;
assert!(is_valid_sql_expression("first_name || ' ' || last_name"));
assert!(is_valid_sql_expression("quantity * price"));
assert!(is_valid_sql_expression("COALESCE(nickname, name)"));
// Dangerous patterns are rejected
assert!(!is_valid_sql_expression("1; DROP TABLE users"));
assert!(!is_valid_sql_expression("name -- comment"));
assert!(!is_valid_sql_expression("/* comment */ name"));