[borntyping]

The second function only accepts strings defined at compile time, meaning it can't be called with strings created at runtime (i.e. any string containing user input).

[empath75]

So what to you do if you need to make a sql call based on user input?

[gnud]

Use parameters, of course. Using SQL parameters for untrusted input is the only sane way to avoid SQL injections.

[EugeneOZ]

just add "to_owned()" and problem solved. This function doesn't protect nothing, it's a bullshit. I love Rust, but author is far from the theme he is trying to describe. And theme is dangerous enough.

[C4K3]

to_owned() converts to a String, not to a &'static str. Those are not the same. You can't create a &'static str dynamically (though you can mutate one using unsafe.)

[derkha]

You can convert a `String` into a `&'static str` using only safe stdlib functions via `Box::leak(s.into())`. This uses `unsafe` internally, of course... but so does almost any code.

[C4K3]

Ah cool, I hadn't heard about Box::leak until now. Coming to stable in 1.26 it seems.

[EugeneOZ]

lol, so you call your SQL just with constants? "username" in his example just for one user forever? Still a bullshit.

[C4K3]

No, only the SQL statement has to be 'static. It's not bullshit.

[EugeneOZ]

Can you provide real-world example please?

[Khoth]

From TFA:

let _rows = sql_query("SELECT * FROM users WHERE username=?", &[username]);

The statement is static, but the [username] part is not, it's just a variable that can have whatever username you want.