douyi2664 2015-06-27 22:59
浏览 89
已采纳

如何参数化运算符?

I have the following sql statement:

SELECT pk, up FROM mytable WHERE 2 > 1 LIMIT 10

This is just for simplicity, obviously. I am able to parameterize any of the integers:

SELECT pk, up FROM mytable WHERE 2 > $1 LIMIT 10

BUT, when I try to parameterize the operator, eg:

SELECT pk, up FROM mytable WHERE 2 $1 1 LIMIT 10

I get:

pq: syntax error at or near "$1"

Full Code:

package main

import (
    "database/sql"
    _ "github.com/lib/pq"
    "log"
)

func main() {
    log.SetFlags(log.Lshortfile)
    Db, err := sql.Open("postgres", "user=yoitsmeletmein password=supersecretyo host=what.a.host dbname=mydb sslmode=require")
    if err != nil {
        log.Fatal("Cannot connect to db: ", err)
    }
    q := `SELECT pk FROM mytable WHERE 2 $1 1 LIMIT 10`
    params := []interface{}{">"}
    rows, err := Db.Query(q, params...)
    if err != nil {
        log.Println(err)
    } else {
        defer rows.Close()
        for rows.Next() {
            var pk int64
            if err := rows.Scan(&pk); err != nil {
                log.Fatal(err)
            }
            log.Println(pk)
        }
    }

}
  • 写回答

1条回答 默认 最新

  • dpf5207 2015-06-27 23:18
    关注

    Prepared statements allow to parametrize values, nothing else. It wouldn't make sense to parametrize operators to begin with, a statement cannot be prepared without knowing involved operators. And it would be potentially dangerous, opening vectors for SQL injection.

    To switch operators, you'll have to concatenate a new query string in your client or use dynamic SQL with a server-side procedural language, the default being plpgsql.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 CST仿真别人的模型结果仿真结果S参数完全不对
  • ¥15 误删注册表文件致win10无法开启
  • ¥15 请问在阿里云服务器中怎么利用数据库制作网站
  • ¥60 ESP32怎么烧录自启动程序
  • ¥50 html2canvas超出滚动条不显示
  • ¥15 java业务性能问题求解(sql,业务设计相关)
  • ¥15 52810 尾椎c三个a 写蓝牙地址
  • ¥15 elmos524.33 eeprom的读写问题
  • ¥15 用ADS设计一款的射频功率放大器
  • ¥15 怎么求交点连线的理论解?