Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/imor/pg_escape

A Rust library to escape Postgres flavoured SQL
https://github.com/imor/pg_escape

postgres postgresql sql sqlinject-defense

Last synced: 14 days ago
JSON representation

A Rust library to escape Postgres flavoured SQL

Host: GitHub
URL: https://github.com/imor/pg_escape
Owner: imor
License: apache-2.0
Created: 2024-10-31T19:42:57.000Z (2 months ago)
Default Branch: main
Last Pushed: 2024-11-01T09:00:30.000Z (2 months ago)
Last Synced: 2024-11-16T03:20:04.588Z (about 2 months ago)
Topics: postgres, postgresql, sql, sqlinject-defense
Language: Rust
Homepage:
Size: 18.6 KB
Stars: 3
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE-APACHE

Awesome Lists containing this project

README

        # pg_escape

`pg_escape` is a Rust library to escape Postgres flavoured SQL.

To avoid SQL injection attacks it is necessary to properly escape user input. This library provides functions for that.

## quote_identifier

Use `quote_identifier` to properly quote an identifier. An identifier names a database object. E.g. names of tables, columns, view etc. are identifiers. Inability to quote user supplied identifiers leads to SQL injection attacks. For example, if your system accepts a table name from a user and runs a `select * from ` query, it is vulnerable to SQL injection attacks if constructed like this:

```rust

let table_name = "users";//supplied by user

let query = format!("select * from {table_name}");

```

Instead, do this:

```rust

use pg_escape::quote_identifier;

let table_name = "users";//supplied by user

let quoted_table_name = quote_identifier(table_name);

let query = format!("select * from {quoted_table_name}");

```

## quote_literal

Use `quote_literal` to properly quote a literal. A literal is a value which is written literally in a SQL expression. Similar to `quote_identifier`, ensure that user supplied literals are quoted. For example, don't do this:

```rust

let user = "john";//supplied by user

let query = format!("select * from users where username = {user}");

```

Do this instead:

```rust

use pg_escape::quote_literal;

let user = "john";//supplied by user

let quoted_user = quote_literal(user);

let query = format!("select * from users where username = {quoted_user}");

```

## When not to use `pg_escape`

Many Postgres client libraries and clients provide an option to run prepared statements (aka parameterized queries). Use them if available. `pg_escape` is useful for those constrained environments where prepared statements are not available. One example of such an environment is if you are connected to Postgres over a replication connection. A replication connection only supports a [simple query protocol](https://www.postgresql.org/docs/current/protocol-flow.html#PROTOCOL-FLOW-SIMPLE-QUERY) as mentioned in the Postgres [streaming replication protocol document](https://www.postgresql.org/docs/current/protocol-replication.html).