From 8189f897ce8c7cf92cacdeba80ade7b3cb832faa Mon Sep 17 00:00:00 2001
From: Joey de Waal <99046430+joeydewaal@users.noreply.github.com>
Date: Mon, 2 Feb 2026 16:13:52 +0100
Subject: [PATCH] Add on unimplemented diagnostic to `SqlStr` (#4153)

* add diagnostic to `SqlStr`

* Update note
---
 sqlx-core/src/sql_str.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sqlx-core/src/sql_str.rs b/sqlx-core/src/sql_str.rs
index 100f2702..53e40426 100644
--- a/sqlx-core/src/sql_str.rs
+++ b/sqlx-core/src/sql_str.rs
@@ -35,6 +35,15 @@ use std::sync::Arc;
 /// [injection]: https://en.wikipedia.org/wiki/SQL_injection
 /// [`query()`]: crate::query::query
 /// [`raw_sql()`]: crate::raw_sql::raw_sql
+#[diagnostic::on_unimplemented(
+    label = "dynamic SQL string",
+    message = "dynamic SQL strings should be audited for possible injections",
+    note = "prefer literal SQL strings with bind parameters or `QueryBuilder` to add dynamic data to a query.
+
+To bypass this error, manually audit for potential injection vulnerabilities and wrap with `AssertSqlSafe()`.
+For details, see the docs for `SqlSafeStr`.\n",
+    note = "this trait is only implemented for `&'static str`, not all `&str` like the compiler error may suggest"
+)]
 pub trait SqlSafeStr {
     /// Convert `self` to a [`SqlStr`].
     fn into_sql_str(self) -> SqlStr;