7 points by emschwartz 4 hours ago | 2 comments
- > However, this can lead to catastrophic SQL injection attacks if you use this for user input, because raw_sql does not support binding and sanitizing query parameters.
That's surprising, given that SQLite itself supports binding and sanitizing query parameters via sqlite_bind_*(). Is SQLx just blindly calling sqlite3_exec() instead of doing the prepare→bind→step→finalize sequence itself?
- I believe so. When you call `raw_sql`, the API doesn't provide a way for you to specify which parts of the query are parameters, so it just passes that exact string in to exec.