PgReplicationConnection::exec(query: &str) in src/connection/libpq.rs calls PQexec, which has no parameter slot. Consumers that need to embed dynamic values (relation names, LSNs, slot names, snapshot IDs) must concatenate the SQL string and escape by hand, and any miss is a SQL injection. There is no safe alternative on the connection surface today.
I intend to add exec_with_params(sql: &str, params: &[&dyn ToSql]) -> Result<PgResult> that wraps libpq PQexecParams. paramTypes defaults to null so the server infers from values, paramFormats defaults to text, resultFormat defaults to text for parity with exec. Option<T> encodes SQL NULL. Existing exec stays untouched, the addition is purely additive.
PgReplicationConnection::exec(query: &str)insrc/connection/libpq.rscallsPQexec, which has no parameter slot. Consumers that need to embed dynamic values (relation names, LSNs, slot names, snapshot IDs) must concatenate the SQL string and escape by hand, and any miss is a SQL injection. There is no safe alternative on the connection surface today.I intend to add
exec_with_params(sql: &str, params: &[&dyn ToSql]) -> Result<PgResult>that wraps libpqPQexecParams.paramTypesdefaults tonullso the server infers from values,paramFormatsdefaults to text,resultFormatdefaults to text for parity withexec.Option<T>encodes SQLNULL. Existingexecstays untouched, the addition is purely additive.