Fix SQL Injection (Legacy & Modern) in Warp

Warp's type-safety is a myth if your database layer is trash. Developers often mistake Rust's memory safety for injection resistance. If you're using `format!` or string concatenation to build queries inside a Warp filter, you're opening a hole for basic T-SQL or PG-specific exfiltration. Real pros use parameterized queries and typed filters to kill the bug at the source.

The Vulnerable Pattern

use warp::Filter;
// DANGER: String interpolation in SQL
let route = warp::path!(“api” / “user” / String)
.and_then(|username: String| async move {
let query = format!(“SELECT * FROM users WHERE name = ’{}’”, username);
// Imagine this executes against a DB
Ok::<_, warp::Rejection>(format!(“Executing: {}”, query))
});

The Secure Implementation

The vulnerable snippet uses `format!` to inject a raw string into the SQL statement. An attacker could pass 'admin'--' to bypass authentication or '; DROP TABLE users--' to destroy the schema. The secure version implements two layers of defense: first, Warp's path filtering handles basic extraction; second, `sqlx::query!` uses prepared statements (placeholders like $1). This ensures the DB driver treats the input strictly as data, never as executable code, effectively neutralizing SQL injection regardless of the input's content.

use warp::Filter;
use sqlx::query;
// SECURE: Typed path and parameterized query
let route = warp::path!(“api” / “user” / String)
.and(with_db(pool))
.and_then(|username: String, db: DbPool| async move {
let user = sqlx::query!(“SELECT * FROM users WHERE name = $1”, username)
.fetch_optional(&db)
.await;
    match user {
        Ok(u) => Ok(warp::reply::json(&u)),
        Err(_) => Err(warp::reject::not_found()),
    }
});</code></pre>