tokio-postgres and database query
Answer a question There is such a module code (for working with a database): use tokio_postgres::{NoTls, Error}; pub async fn hello() -> Result<(), Error> { // Connect to the database. let (client, co
Answer a question
There is such a module code (for working with a database):
use tokio_postgres::{NoTls, Error};
pub async fn hello() -> Result<(), Error> {
// Connect to the database.
let (client, connection) =
tokio_postgres::connect("host=localhost user=postgres", NoTls).await?;
// The connection object performs the actual communication with the database,
// so spawn it off to run on its own.
tokio::spawn(async move {
if let Err(e) = connection.await {
eprintln!("connection error: {}", e);
}
});
// Now we can execute a simple statement that just returns its parameter.
let rows = client
.query("SELECT $1::TEXT", &[&"hello world"])
.await?;
// And then check that we got back the same string we sent over.
let value: &str = rows[0].get(0);
assert_eq!(value, "hello world");
Ok(())
}
Question:
How, in this case, the access to the database should be written?
(the guide doesn't say anything about it - or I didn't fully understand it.)
https://docs.rs/tokio-postgres/0.5.5/tokio_postgres/
What mechanisms in this case will protect access to the database from sql injections?
The simplest general use case is needed.
Answers
client.query(statement, params)
will convert the first argument statement
to a prepared statement and execute it with the params
.
To be safe from sql injection, make sure that all user data is passed in the second params
argument.
DO NOT DO THIS:
let id = "SOME DATA FROM THE USER";
let rows = client
.query(format!("SELECT * FROM SomeTable WHERE id = {}", id), &[])
.await?;
DO THIS:
let id = "SOME DATA FROM THE USER";
let rows = client
.query("SELECT * FROM SomeTable WHERE id = $1", &[&id])
.await?;
Explanation:
In tokio-postgres
most client methods (query*
or execute*
) can accept either a &str
or Statement
for the sql statement. If passed a &str
it will create a prepared statement (Statement
object) for you.
更多推荐
所有评论(0)