From 3eb8bdea9fdf77bbd4cbc98ad4a1b231e6b7f243 Mon Sep 17 00:00:00 2001 From: Joey de Waal Date: Fri, 30 Jan 2026 15:33:34 +0100 Subject: [PATCH 1/2] add diagnostic to `SqlStr` --- sqlx-core/src/sql_str.rs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sqlx-core/src/sql_str.rs b/sqlx-core/src/sql_str.rs index 100f270214..5b9ef35d51 100644 --- a/sqlx-core/src/sql_str.rs +++ b/sqlx-core/src/sql_str.rs @@ -35,6 +35,15 @@ use std::sync::Arc; /// [injection]: https://en.wikipedia.org/wiki/SQL_injection /// [`query()`]: crate::query::query /// [`raw_sql()`]: crate::raw_sql::raw_sql +#[diagnostic::on_unimplemented( + label = "dynamic SQL string", + message = "dynamic SQL strings should be audited for possible injections", + note = "prefer literal SQL strings with bind parameters or `QueryBuilder` to add dynamic data to a query. + +To bypass this error, manually audit for potential injection vulnerabilities and wrap with `AssertSqlSafe()`. +For details, see the docs for `SqlSafeStr`.\n", + note = "by default, this trait is only implemented for `&'static str`, not all `&str` like the compiler error may suggest" +)] pub trait SqlSafeStr { /// Convert `self` to a [`SqlStr`]. fn into_sql_str(self) -> SqlStr; From 72c995b16153b546ae5b3a57fc1c4a3b7ce21855 Mon Sep 17 00:00:00 2001 From: Joey de Waal Date: Fri, 30 Jan 2026 16:31:12 +0100 Subject: [PATCH 2/2] Update note --- sqlx-core/src/sql_str.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sqlx-core/src/sql_str.rs b/sqlx-core/src/sql_str.rs index 5b9ef35d51..53e404268f 100644 --- a/sqlx-core/src/sql_str.rs +++ b/sqlx-core/src/sql_str.rs @@ -42,7 +42,7 @@ use std::sync::Arc; To bypass this error, manually audit for potential injection vulnerabilities and wrap with `AssertSqlSafe()`. For details, see the docs for `SqlSafeStr`.\n", - note = "by default, this trait is only implemented for `&'static str`, not all `&str` like the compiler error may suggest" + note = "this trait is only implemented for `&'static str`, not all `&str` like the compiler error may suggest" )] pub trait SqlSafeStr { /// Convert `self` to a [`SqlStr`].