> However, this can lead to catastrophic SQL injection attacks if you use this for user input, because raw_sql does not support binding and sanitizing query parameters.
That's surprising, given that SQLite itself supports binding and sanitizing query parameters via sqlite_bind_*(). Is SQLx just blindly calling sqlite3_exec() instead of doing the prepare→bind→step→finalize sequence itself?
This is about raw_sql, which is explicitely documented to not use prepared statements and thus doesn't support query parameters; not about the actual query() API SQLx offers.
> Note: query parameters are not supported.
> Query parameters require the use of prepared statements which this API does support.
> If you require dynamic input data in your SQL, you can use format!() but be very careful doing this with user input. SQLx does not provide escaping or sanitization for inserting dynamic input into queries this way.
I believe so. When you call `raw_sql`, the API doesn't provide a way for you to specify which parts of the query are parameters, so it just passes that exact string in to exec.
> However, this can lead to catastrophic SQL injection attacks if you use this for user input, because raw_sql does not support binding and sanitizing query parameters.
That's surprising, given that SQLite itself supports binding and sanitizing query parameters via sqlite_bind_*(). Is SQLx just blindly calling sqlite3_exec() instead of doing the prepare→bind→step→finalize sequence itself?
This is about raw_sql, which is explicitely documented to not use prepared statements and thus doesn't support query parameters; not about the actual query() API SQLx offers.
> Note: query parameters are not supported.
> Query parameters require the use of prepared statements which this API does support.
> If you require dynamic input data in your SQL, you can use format!() but be very careful doing this with user input. SQLx does not provide escaping or sanitization for inserting dynamic input into queries this way.
> See query() for details.
I believe so. When you call `raw_sql`, the API doesn't provide a way for you to specify which parts of the query are parameters, so it just passes that exact string in to exec.