需要使用golang从CQL映射中删除,但要避免CQL注入

我在CQL中将内容存储在地图中,并且我想允许使用键删除该地图中的特定内容 。 密钥是通过API从上方传递的,因此客户端可以传递任何所需的信息。 这是一段代码,解释了我的情况... </ p>

  func GenerateTrackingIdForDelete(tracking_id字符串)字符串{
if(tracking_id ==“”){
return“”

} else {
返回“ ['” + tracking_id +“']”
}
}

func DeleteAllTrackingURLs(qstringVars map [UrlKey] interface {},reqVars map [string] string,过滤字符串, tracking_id字符串)错误{
derr:= cpool_new.Query(“ Delete tracking_urls” + GenerateTrackingIdForDelete(tracking_id)+FROM模板WHERE vendor_id =?和Advertiser_id =?和filter =?和template_id =?和inst_id =?,qstringVars [VendorKey],qstringVars [AdvertiserKey],过滤器,reqVars [“ template_id”],reqVars [“ inst_id”])。Exec()

如果derr!= nil {
返回错误。New(“无法删除 全部位于inst_id / template_id / filter / advertiser_id / vendor_id下“ + reqVars [” inst_id“] +” /“ + reqVars [” template_id“] +” /“ +过滤器+” /“ + strconv.Itoa(qstringVars [AdvertiserKey]。 (int))+“ /” + strconv.Itoa(qstringVars [VendorKe y]。((int))+“,错误为” + derr.Error())
}

返回nil
}
</ code> </ pre>

从CQL中的地图删除的背景: http:// www。 datastax.com/documentation/cql/3.0/cql/cql_using/use_map_t.html </ p>

这里有一些可能的解决方案,但是有没有更清洁的方法?</ p>


  • 有人可以传入一个带有单引号的键,这会打断查询。 我可以用另一个单引号将每个单引号转义,但这够了吗? 这种方法不好吗,因为gocql必须在每次删除时为查询准备语句?</ li>
  • 实际上是从那里获取内容并将其修改并插入到内存中(从而更新记录)。 不利之处是要写入更多数据。</ li>
  • 具有两个单独的查询(一个用于删除特定键的查询,另一个用于要删除整个地图的查询 )。 缺点是代码重复。</ li>
    </ ul>
    </ div>

展开原文

原文

I have things stored in a map in CQL and I want to allow deletion of specific things within that map using a key. The key is passed in from above via an API, so the client can pass in whatever it wants. Here's a snippet of code that explains my situation...

func GenerateTrackingIdForDelete(tracking_id string) string {
    if (tracking_id == "") {
        return ""
    } else {
        return "['" + tracking_id + "']"
    }
}

func DeleteAllTrackingURLs(qstringVars map[UrlKey]interface{},reqVars map[string]string, filter string, tracking_id string) error {
    derr := cpool_new.Query("DELETE tracking_urls" + GenerateTrackingIdForDelete(tracking_id) + ` FROM template WHERE vendor_id = ? and advertiser_id = ? and filter = ? and template_id = ? and inst_id = ?`, qstringVars[VendorKey], qstringVars[AdvertiserKey], filter, reqVars["template_id"], reqVars["inst_id"]).Exec()

    if derr != nil {
        return errors.New("Failed to delete all under inst_id/template_id/filter/advertiser_id/vendor_id " + reqVars["inst_id"] + "/" + reqVars["template_id"] + "/" + filter + "/" +  strconv.Itoa(qstringVars[AdvertiserKey].(int)) + "/" + strconv.Itoa(qstringVars[VendorKey].(int)) + " with error " + derr.Error())
    }

    return nil
}

Here's some background on deletion from a map in CQL: http://www.datastax.com/documentation/cql/3.0/cql/cql_using/use_map_t.html

Here are some possible solutions, but is there anything cleaner?

  • Someone can just pass in a key with a single quote in it, and it breaks the query. I can escape each single quote with another single quote, but is this enough? Is this approach bad because gocql has to prepare the statement for the query on every delete?
  • Actually getting what's there and modifying it in memory and inserting it (thereby updating the record). The downside here is more data is being written.
  • Having two separate queries (one for the case where there is a specific key to delete, and another for the case where you want to delete the whole map). The downside here is code duplication.

1个回答



据我所知,目前,您必须自己构建查询才能在Cassandra地图上执行修补操作。</ p >

对于一般用法,最安全的方法是第二个建议; </ p>

如果严格定义了地图[x] y,则整理完整的地图值,进行操作并执行INSERT / UPDATE。 即map [int] int建立我自己的查询没有问题-但这还有其他问题,例如没有利用准备好的语句。</ p>
</ div>

展开原文

原文

To the best of my knowledge, presently, you will have to build the queries yourself to perform patching operations on Cassandra maps.

For general usage, the safest method is your second suggestion; marshalling the full map value, manipulating it and performing a INSERT/UPDATE.

If your map[x]y is strictly defined; i.e. map[int]int I'd have no issue building my own query - but this has other issues such as not taking advantage of prepared statements.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问