You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
A common need when generating SQL queries is to dynamically template identifiers. For example, this allows for a single query to be written that can ORDER BY any column without worrying about injection attacks. Today this does not seem to be possible in SQLx except by .push() which is very high risk!
Solution Proposal
Describe the solution you'd like
Some way to have macros like query_as!() support this. I'm familiar with Knex.js solution to this which is that ? are safely templated to escaped values while ?? are safely templated to escaped values.
As an example, take the following template:
SELECT * WHERE id = ? ORDER BY ?? DESC
With the template values 1234 and my_column on Postgres this would generate:
SELECT * WHERE id = '1234' ORDER BY "my_column" DESC
Taking this a step further would be a way to inject keywords so DESC could be templated. Perhaps keywords could be identified by $$$ and things templated with it must implement some "keyword trait".
Alternatives Investigated
Describe alternatives you've considered
The only alternative today seems to be .push() which is dangerous and also not template friendly.
Additional context
Note that each database dialect does escaping of values and identifiers differently. So implementation would have to support being database specific.
Problem Description
A common need when generating SQL queries is to dynamically template identifiers. For example, this allows for a single query to be written that can
ORDER BY
any column without worrying about injection attacks. Today this does not seem to be possible in SQLx except by.push()
which is very high risk!Solution Proposal
Some way to have macros like
query_as!()
support this. I'm familiar with Knex.js solution to this which is that?
are safely templated to escaped values while??
are safely templated to escaped values.As an example, take the following template:
With the template values
1234
andmy_column
on Postgres this would generate:Taking this a step further would be a way to inject keywords so
DESC
could be templated. Perhaps keywords could be identified by$$$
and things templated with it must implement some "keyword trait".Alternatives Investigated
The only alternative today seems to be
.push()
which is dangerous and also not template friendly.Additional context
The text was updated successfully, but these errors were encountered: