pub trait SqlSafeStr {
// Required method
fn into_sql_str(self) -> SqlStr;
}Expand description
A SQL string that is safe to execute on a database connection.
A “safe” SQL string is one that is unlikely to contain a SQL injection vulnerability.
In practice, this means a string type that is unlikely to contain dynamic data or user input.
&'static str is the only string type that satisfies the requirements of this trait
(ignoring String::leak() which has niche use-cases) and so is the only string type that
natively implements this trait by default.
For other string types, use AssertSqlSafe to assert this property.
This is the only intended way to pass an owned String to query() and its related functions
as well as raw_sql().
The maintainers of SQLx take no responsibility for any data leaks or loss resulting from misuse of this API.
§Motivation
This is designed to act as a speed bump against naively using format!() to add dynamic data
or user input to a query, which is a classic vector for SQL injection as SQLx does not
provide any sort of escaping or sanitization (which would have to be specially implemented
for each database flavor/locale).
The recommended way to incorporate dynamic data or user input in a query is to use
bind parameters, which requires the query to execute as a prepared statement.
See query() for details.
This trait and AssertSqlSafe are intentionally analogous to
std::panic::UnwindSafe and std::panic::AssertUnwindSafe, respectively.
Required Methods§
Sourcefn into_sql_str(self) -> SqlStr
fn into_sql_str(self) -> SqlStr
Convert self to a SqlStr.
Implementations on Foreign Types§
Source§impl SqlSafeStr for &'static str
impl SqlSafeStr for &'static str
fn into_sql_str(self) -> SqlStr
Implementors§
impl SqlSafeStr for AssertSqlSafe<&str>
Note: copies the string.
It is recommended to pass one of the supported owned string types instead.