How does HugSQL help protect against SQL injection?
HugSQL attempts to provide a set of tools that help protect against SQL injection where possible without taking away power from the developer. Below are a few potential SQL injection attack vectors and HugSQL's response to each:
Value Parameters, Value List Parameters, Tuple Parameters, and Tuple List Parameters are all variations on SQL value parameters that convert a Clojure data type to SQL. By default, all of these parameter types defer to the underlying database library to perform SQL parameter binding to prevent SQL injection issues.
Identifier Parameters and [Identifier List Parameters(/hugsql-in-detail/parameter-types/sql-identifier-list-parameters) support quoting and escaping of identifiers with the
:quoting option. By default,
:off, since HugSQL makes no assumptions about your given database. This may be fine for your use case if you are not taking identifiers from user input.
If you are taking identifiers from user input, you should use the
:quoting option to prevent SQL injection! See Identifier Parameters for details.
Raw SQL Parameters
Raw SQL Parameters are exactly what they seem, and it is your responsibility to sanitize any usage of this parameter type when using user input.
Snippets generate sqlvecs and Snippet Parameter Types consume sqlvecs. For snippets containing any HugSQL parameter types, the same rules as above apply. If you are consuming a snippet (or sqlvec) from your own code or another library (say, HoneySQL), then other rules might apply.
Custom Parameter Types
Custom Parameter Types allow you to create your own parameter types. It is your responsibility to ensure your implementation protects against SQL injection by properly escaping your data.
Clojure Expressions should return either a string or nil, and strings returned from expressions are parsed at runtime to support HugSQL parameters. The same rules apply for the above parameter types.