dongxiaoyan4388 2018-05-22 23:04
浏览 91
已采纳

我可以在Go中参数化create语句吗?

Using the Go SQL library we can create SELECT, INSERT, UPDATE and DELETE statements with parameters like this:

db.Query("SELECT * FROM database.table WHERE param = ?", param_value)

I want to create tables from user provided input that describes the table structure, users will be asked for the name of the table and the name and type of each column they want to create. However, building a CREATE statement in the query interface Creating a CREATE statement by concatenating strings together works, but that's a SQL injection attack waiting to happen.

Is there a way to parameterize CREATE statements using the Go SQL library?

  • 写回答

1条回答 默认 最新

  • douna5529 2018-05-23 00:24
    关注

    SQL query parameters take the place of a scalar value only.

    That is, you can use a parameter to substitute only where you would otherwise use a constant quoted string, constant quoted date/time, or constant numeric.

    SQL query parameters can't be used for:

    • Table names, column names, or other identifiers
    • SQL expressions
    • Lists of scalar values (like in an IN(...) predicate)
    • SQL keywords

    The proper way to write your app that takes user input which describes table structure is to interpret the user input as a guide, not as literal SQL syntax. Avoid passing user input (or any unsafe content) through to be executed as part of any SQL statement.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作
  • ¥15 用友U8:向一个无法连接的网络尝试了一个套接字操作,如何解决?
  • ¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)
  • ¥50 mac mini外接显示器 画质字体模糊
  • ¥15 TLS1.2协议通信解密
  • ¥40 图书信息管理系统程序编写
  • ¥20 Qcustomplot缩小曲线形状问题
  • ¥15 企业资源规划ERP沙盘模拟