tokio-postgres and database query

Question

There is such a module code (for working with a database):

use tokio_postgres::{NoTls, Error};

pub async fn hello() -> Result<(), Error> {

    // Connect to the database.
    let (client, connection) =
        tokio_postgres::connect("host=localhost user=postgres", NoTls).await?;

    // The connection object performs the actual communication with the database,
    // so spawn it off to run on its own.
    tokio::spawn(async move {
        if let Err(e) = connection.await {
            eprintln!("connection error: {}", e);
        }
    });

    // Now we can execute a simple statement that just returns its parameter.
    let rows = client
        .query("SELECT $1::TEXT", &[&"hello world"])
        .await?;

    // And then check that we got back the same string we sent over.
    let value: &str = rows[0].get(0);
    assert_eq!(value, "hello world");

    Ok(())
}

Question:
How, in this case, the access to the database should be written?
(the guide doesn't say anything about it - or I didn't fully understand it.)
https://docs.rs/tokio-postgres/0.5.5/tokio_postgres/
What mechanisms in this case will protect access to the database from sql injections?
The simplest general use case is needed.

Answer 1

client.query(statement, params) will convert the first argument statement to a prepared statement and execute it with the params.

To be safe from sql injection, make sure that all user data is passed in the second params argument.

DO NOT DO THIS:

let id = "SOME DATA FROM THE USER";

let rows = client
  .query(format!("SELECT * FROM SomeTable WHERE id = {}", id), &[])
  .await?;

DO THIS:

let id = "SOME DATA FROM THE USER";

let rows = client
  .query("SELECT * FROM SomeTable WHERE id = $1", &[&id])
  .await?;

Explanation:

In tokio-postgres most client methods (query* or execute*) can accept either a &str or Statement for the sql statement. If passed a &str it will create a prepared statement (Statement object) for you.