4

There is such a module code (for working with a database):

use tokio_postgres::{NoTls, Error};

pub async fn hello() -> Result<(), Error> {

    // Connect to the database.
    let (client, connection) =
        tokio_postgres::connect("host=localhost user=postgres", NoTls).await?;

    // The connection object performs the actual communication with the database,
    // so spawn it off to run on its own.
    tokio::spawn(async move {
        if let Err(e) = connection.await {
            eprintln!("connection error: {}", e);
        }
    });

    // Now we can execute a simple statement that just returns its parameter.
    let rows = client
        .query("SELECT $1::TEXT", &[&"hello world"])
        .await?;

    // And then check that we got back the same string we sent over.
    let value: &str = rows[0].get(0);
    assert_eq!(value, "hello world");

    Ok(())
}

Question:
How, in this case, the access to the database should be written?
(the guide doesn't say anything about it - or I didn't fully understand it.)
https://docs.rs/tokio-postgres/0.5.5/tokio_postgres/
What mechanisms in this case will protect access to the database from sql injections?
The simplest general use case is needed.

  • your question is unclear – Stargateur Sep 05 '20 at 00:27
  • 1
    "What mechanisms in this case will protect access to the database from sql injections?", query is a format string pattern so it will probably escape thing correctly. That clearly the job of such API to do it – Stargateur Sep 05 '20 at 00:28
  • http://joxi.ru/YmEgJPahMMWOlA the question is as follows. there is a table in the database - the question is how to access it and pull out something or put it there + what would it be the correct safe approach? – Mikhail Krivosheev Sep 05 '20 at 00:30
  • @MikeKharkov to prevent sql injection, one uses prepared statements and parameterized queries, this is not dependant on Rust, tokio, or anything language related. Look at the function prepare of the client struct. https://docs.rs/tokio-postgres/0.5.5/tokio_postgres/struct.Client.html – Félix Adriyel Gagnon-Grenier Sep 05 '20 at 01:24
  • It is unclear for me(too abstracted) - I need a working very simple sample wich work with my current module. – Mikhail Krivosheev Sep 05 '20 at 01:31

1 Answers1

6

client.query(statement, params) will convert the first argument statement to a prepared statement and execute it with the params.

To be safe from sql injection, make sure that all user data is passed in the second params argument.

DO NOT DO THIS:

let id = "SOME DATA FROM THE USER";

let rows = client
  .query(format!("SELECT * FROM SomeTable WHERE id = {}", id), &[])
  .await?;

DO THIS:

let id = "SOME DATA FROM THE USER";

let rows = client
  .query("SELECT * FROM SomeTable WHERE id = $1", &[&id])
  .await?;

Explanation:

In tokio-postgres most client methods (query* or execute*) can accept either a &str or Statement for the sql statement. If passed a &str it will create a prepared statement (Statement object) for you.

Neopallium
  • 1,419
  • 9
  • 18