Diesel: document (lack of?) risk of SQL injection

Does diesel automatically escape variables to prevent SQL injection attacks?

Yes.

Either way, it would be helpful to discuss what measures are taken by diesel

I'm not sure we should go too in depth here. Protection from SQL injection attacks is pretty much an assumed feature of any ORM.

what measures should be taken by the user to prevent SQL injection attacks.

None

Going to close this issue. Please do comment if you still think that there is something actionable to be done here.

Well given the quote We achieve this by having Diesel eliminate the possibility of incorrect database interactions at compile time it wasn't clear to me that Diesel was doing runtime checking on top of compile time checks. So, sure, traditional ORMs should stop injection attacks, but Diesel is very different from ORMs I've used.

I do think that some documentation (one sentence) somewhere saying that SQL injection is stopped via escaping identifiers at runtime would be useful.

Again, I think that escaping identifiers and strings (or using prepared statements, which is what we do) would be assumed of _all_ ORMs, but feel free to open a PR and we can discuss the specific changes you'd like to make to the docs.