Is there any reference/documentation for sanitizing SQL table/column idents input?

[LucaCappelletti94]

Backend

PostgreSQL, SQLite

Diesel version

Current main branch

Diesel Features

postgres, sqlite, extras

Operating System Version

No response

Third party libraries

No response

What do you want to do?

I am writing some rather generic db introspection tools to load an SQL database as a graph, where I treat primary keys of a row in the DB as a node, and foreign keys between a row to other rows as edges.

In order to define this conversion for generic DBs, at this time I am using a rather cursedly unsafe query such as the following one:

let query = diesel::sql_query(format!(
    "SELECT {primary_key_column_names} FROM \"{table_name}\"",
    primary_key_column_names = ["list", "of", "introspected", "keys"],
    table_name = "table introspected from DB"
));

I call the above unsafe because there may be antagonistic cases where the table or column names being introspected contain SQL that could brick the DB. Is there any diesel-friendly ident validation?

The only safer alternative that diesel supports that I am aware of would be to create an enumeration of all table markers, and then an enumeration of the columns of each of those tables, and requiring in the trait that such a struct implements FromStr to use with the introspection.

Is there any other safe option that would require less code setup?

If the enum route is the only safe option, would it be desirable to add the derivation of the column enum as another optional derive feature for the model structs?

Luca

Compile time error

No response

What code do you already have?

No response

Additional details

No response

Checklist

• I have already looked over the issue tracker and the discussion forum for similar possible closed issues.

[weiznich]

There are several solutions here:

• diesel-dynamic-schema
• Building your own query DSL extension by implementing QueryFragment and using the relevant functions on AstPass

Both internally quote the identifier so it should be mostly safe

[LucaCappelletti94]

The former looks perfect, thanks!