Does Forked Copy of SQLX require in house string sanitization

[tyrsday29]

Hi! I recently forked a copy of SQLx (using sqlite) so that I could build SQLCipher for my project on Android/IOS. After forking so I could change around a few feature flags in libsqlite3, the entire SQLx API seemed to change, and now normal strings are no long accepted in the macroless Querry API. I must stick them in a AsserSqlSafe struct, the documentation of which informs me I should be doing sanitization myself. Can someone explain what happened here? Does SQLx not provide sanitization in the way I think?

[joeydewaal]

Yes, the api has changed in the 0.9 version (which has not been officially released yet). This has basically everything to do with sql injections. (If you don't know what this is, I'd recommend reading about it here.) Before and after this change SQLx doesn't sanitize your query, it does not look at the structure, does not parse/inspect the query, it never has and still doesn't. So if users can influence your queries (by using format!(...) to generate queries for example), sqlx doesn't help you against sql injections.

With the changes, SQLx makes it possible for the user to give an owned query as input (a String for example), this was not possible before. Now having a String as an argument would make it easier for people to (accidentally) get a sql injection, so that's not great. This is why Austin created the AssertSqlSafe struct with the traits and api around this. This allows people to have an owned query as parameter while they need to acknowledge the fact that they understand sql injections and the caution around this if they want to use it.

If you are using string literals for queries with query parameters there is basically no change and you don't have to worry about anything. If you're upgrading and need to change code to make you queries work again, there is a chance that you code was/is vulnerable to sql injections.

[tyrsday29]

Thanks for the response! I forked that late one night, and must not have realized I got the minor version bump. I'm just looking for clarification on one more point- am I also responsible for sanitizing injection attempts when using the .bind() method?