> However, this can lead to catastrophic SQL injection attacks if you use this for user input, because raw_sql does not support binding and sanitizing query parameters.
That's surprising, given that SQLite itself supports binding and sanitizing query parameters via sqlite_bind_*(). Is SQLx just blindly calling sqlite3_exec() instead of doing the prepare→bind→step→finalize sequence itself?
alt Hacker News
> However, this can lead to catastrophic SQL injection attacks if you use this for user input, because raw_sql does not support binding and sanitizing query parameters.
That's surprising, given that SQLite itself supports binding and sanitizing query parameters via sqlite_bind_*(). Is SQLx just blindly calling sqlite3_exec() instead of doing the prepare→bind→step→finalize sequence itself?