Does string interpolation in raw queries affect prepared statements and query caching? #4081

Datron · 2024-06-24T06:22:45Z

Datron
Jun 24, 2024

Hi,
Lets say I have a query like this:

let sql = format!(
        "
    INSERT INTO {db_namespace}.dimensions
    (dimension, priority, created_at, created_by, schema)
    VALUES ($1, $2, $3, $4, $5)
    ON CONFLICT (dimension)
    DO UPDATE SET priority = $6,
     created_at = $7,
     created_by = $8,
     schema = $9
            "
    );

 let upsert = diesel::sql_query(sql)
        .bind::<diesel::sql_types::VarChar, _>(&new_dimension.dimension)
        .bind::<diesel::sql_types::Integer, _>(&new_dimension.priority)
        .bind::<diesel::sql_types::Timestamptz, _>(&new_dimension.created_at)
        .bind::<diesel::sql_types::VarChar, _>(&new_dimension.created_by)
        .bind::<diesel::sql_types::Json, _>(&new_dimension.schema)
        .bind::<diesel::sql_types::Integer, _>(&new_dimension.priority)
        .bind::<diesel::sql_types::Timestamptz, _>(&new_dimension.created_at)
        .bind::<diesel::sql_types::VarChar, _>(&new_dimension.created_by)
        .bind::<diesel::sql_types::Json, _>(&new_dimension.schema)
        .execute(&mut conn);

I'm trying to figure out what could go wrong with doing something like this.

Answered by weiznich

Jun 28, 2024

Prepared statements for queries issued via sql_query are not cached as described here: https://docs.diesel.rs/2.2.x/diesel/connection/statement_cache/index.html#a-primer-on-prepared-statement-caching-in-diesel

That written: By using format! to construct your SQL queries you open the possibility for sql injections.

View full answer

weiznich · 2024-06-28T13:03:46Z

weiznich
Jun 28, 2024
Maintainer

Prepared statements for queries issued via sql_query are not cached as described here: https://docs.diesel.rs/2.2.x/diesel/connection/statement_cache/index.html#a-primer-on-prepared-statement-caching-in-diesel

That written: By using format! to construct your SQL queries you open the possibility for sql injections.

1 reply

Datron Jul 1, 2024
Author

Thanks @weiznich!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Does string interpolation in raw queries affect prepared statements and query caching? #4081

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Does string interpolation in raw queries affect prepared statements and query caching? #4081

Datron Jun 24, 2024

Replies: 1 comment · 1 reply

weiznich Jun 28, 2024 Maintainer

Datron Jul 1, 2024 Author

Datron
Jun 24, 2024

Replies: 1 comment 1 reply

weiznich
Jun 28, 2024
Maintainer

Datron Jul 1, 2024
Author