Skip to main content

sql_query

spawn_db

Macro sql_query 

Source 
macro_rules! sql_query {
    ($fmt:literal $(, $arg:expr)* $(,)?) => { ... };
}
Expand description

Creates an EscapedQuery from a format string and SQL-safe arguments.

This macro works like format!, but only accepts arguments that implement the SqlSafe trait. This ensures that all interpolated values have been properly escaped.

§Accepted Types

  • EscapedIdentifier - for schema, table, and column names
  • EscapedLiteral - for string values
  • InsecureRawSql - for raw SQL (use with caution)

§Example

use spawn_db::{sql_query, escape::{EscapedIdentifier, EscapedLiteral}};

let schema = EscapedIdentifier::new("my_schema");
let table = EscapedIdentifier::new("users");
let name = EscapedLiteral::new("O'Brien");

let query = sql_query!(
    "SELECT * FROM {}.{} WHERE name = {}",
    schema,
    table,
    name
);

§Compile-Time Safety

Passing a raw String or &str will result in a compile error:

use spawn_db::sql_query;

let unsafe_input = "Robert'; DROP TABLE users; --";
let query = sql_query!("SELECT * FROM users WHERE name = {}", unsafe_input);
// Error: the trait bound `&str: SqlSafe` is not satisfied