pg_escape
is a Rust library to escape Postgres flavoured SQL.
To avoid SQL injection attacks it is necessary to properly escape user input. This library provides functions for that.
Use quote_identifier
to properly quote an identifier. An identifier names a database object. E.g. names of tables, columns, view etc. are identifiers. Inability to quote user supplied identifiers leads to SQL injection attacks. For example, if your system accepts a table name from a user and runs a select * from <table_name>
query, it is vulnerable to SQL injection attacks if constructed like this:
let table_name = "users";//supplied by user
let query = format!("select * from {table_name}");
Instead, do this:
use pg_escape::quote_identifier;
let table_name = "users";//supplied by user
let quoted_table_name = quote_identifier(table_name);
let query = format!("select * from {quoted_table_name}");
Use quote_literal
to properly quote a literal. A literal is a value which is written literally in a SQL expression. Similar to quote_identifier
, ensure that user supplied literals are quoted. For example, don't do this:
let user = "john";//supplied by user
let query = format!("select * from users where username = {user}");
Do this instead:
use pg_escape::quote_literal;
let user = "john";//supplied by user
let quoted_user = quote_literal(user);
let query = format!("select * from users where username = {quoted_user}");
Many Postgres client libraries and clients provide an option to run prepared statements (aka parameterized queries). Use them if available. pg_escape
is useful for those constrained environments where prepared statements are not available. One example of such an environment is if you are connected to Postgres over a replication connection. A replication connection only supports a simple query protocol as mentioned in the Postgres streaming replication protocol document.