dongxiaoyan4388 2018-05-22 23:04
浏览 91
已采纳

我可以在Go中参数化create语句吗?

Using the Go SQL library we can create SELECT, INSERT, UPDATE and DELETE statements with parameters like this:

db.Query("SELECT * FROM database.table WHERE param = ?", param_value)

I want to create tables from user provided input that describes the table structure, users will be asked for the name of the table and the name and type of each column they want to create. However, building a CREATE statement in the query interface Creating a CREATE statement by concatenating strings together works, but that's a SQL injection attack waiting to happen.

Is there a way to parameterize CREATE statements using the Go SQL library?

  • 写回答

1条回答 默认 最新

  • douna5529 2018-05-23 00:24
    关注

    SQL query parameters take the place of a scalar value only.

    That is, you can use a parameter to substitute only where you would otherwise use a constant quoted string, constant quoted date/time, or constant numeric.

    SQL query parameters can't be used for:

    • Table names, column names, or other identifiers
    • SQL expressions
    • Lists of scalar values (like in an IN(...) predicate)
    • SQL keywords

    The proper way to write your app that takes user input which describes table structure is to interpret the user input as a guide, not as literal SQL syntax. Avoid passing user input (or any unsafe content) through to be executed as part of any SQL statement.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 delta降尺度计算的一些细节,有偿
  • ¥15 Arduino红外遥控代码有问题
  • ¥15 数值计算离散正交多项式
  • ¥30 数值计算均差系数编程
  • ¥15 redis-full-check比较 两个集群的数据出错
  • ¥15 Matlab编程问题
  • ¥15 训练的多模态特征融合模型准确度很低怎么办
  • ¥15 kylin启动报错log4j类冲突
  • ¥15 超声波模块测距控制点灯,灯的闪烁很不稳定,经过调试发现测的距离偏大
  • ¥15 import arcpy出现importing _arcgisscripting 找不到相关程序