Integration with SQLStrings.jl

This integrates the SQLStrings package into LibPQ, making it usable with
the execute() function.

Author: c42f

Project.toml

@@ -17,6 +17,7 @@ LibPQ_jll = "08be9ffa-1c94-5ee5-a977-46a84ec9b350"
 Libdl = "8f399da3-3557-5675-b5ff-fb832c97cbdb"
 Memento = "f28f55f0-a522-5efc-85c2-fe41dfb9b2d9"
 OffsetArrays = "6fe1bfb0-de20-5000-8ca7-80f57d26f881"
+SQLStrings = "af517c2e-c243-48fa-aab8-efac3db270f5"
 Tables = "bd369af6-aec1-5ad0-b16a-f7cc5008161c"
 TimeZones = "f269a46b-ccf7-5d73-abea-4c690281aa53"
 
@@ -32,6 +33,7 @@ LayerDicts = "1"
 LibPQ_jll = "14"
 Memento = "0.10, 0.11, 0.12, 0.13, 1"
 OffsetArrays = "0.9.1, 0.10, 0.11, 1"
+SQLStrings = "0.1"
 Tables = "0.2, 1"
 TimeZones = "0.9.2, 0.10, 0.11, 1"
 julia = "1.6"

src/LibPQ.jl

@@ -26,6 +26,7 @@ using IterTools: imap
 using LayerDicts
 using Memento: Memento, getlogger, warn, info, error, debug
 using OffsetArrays
+using SQLStrings
 using TimeZones
 
 const Parameter = Union{String,Missing}

src/results.jl

@@ -299,6 +299,16 @@ function _multi_execute(
     return handle_result(Result(result, jl_conn; kwargs...); throw_error=throw_error)
 end
 
+function execute(
+    jl_conn::Connection,
+    sql::SQLStrings.Sql;
+    throw_error::Bool=true,
+    kwargs...
+)
+    query, parameters = SQLStrings.prepare(sql)
+    execute(jl_conn, query, parameters; throw_error=throw_error, kwargs...)
+end
+
 function execute(
     jl_conn::Connection,
     query::AbstractString,

test/runtests.jl

@@ -10,6 +10,7 @@ using IterTools: imap
 using Memento
 using Memento.TestUtils
 using OffsetArrays
+using SQLStrings
 using TimeZones
 using Tables
 
@@ -1520,6 +1521,35 @@ end
             close(conn)
         end
 
+        @testset "SQLString" begin
+            conn = LibPQ.Connection("dbname=postgres user=$DATABASE_USER")
+
+            execute(conn, sql```
+               CREATE TEMPORARY TABLE libpq_test_users (
+                   id integer primary key,
+                   name text
+               )```)
+            # The canonical SQL injection https://xkcd.com/327/
+            for (id,name) in [(1,"Foo"), (2, "Robert'); DROP TABLE libpq_test_users; --")]
+                execute(conn, sql```
+                        INSERT INTO libpq_test_users
+                        VALUES ( $id, $name )
+                        ```)
+            end
+            result = execute(conn, sql`SELECT * from libpq_test_users where id = 2`)
+            @test first(result).name == "Robert'); DROP TABLE libpq_test_users; --"
+
+            # Splatting example
+            user = (3,"Bar")
+            execute(conn, sql```
+                    INSERT INTO libpq_test_users
+                    VALUES ( $(user...) )
+                    ```)
+            bar_id = 3
+            result = execute(conn, sql`SELECT * from libpq_test_users where id = $bar_id`)
+            @test first(result).name == "Bar"
+        end
+
         @testset "Query Errors" begin
             @testset "Syntax Errors" begin
                 conn = LibPQ.Connection("dbname=postgres user=$DATABASE_USER"; throw_error=true)