2017-12-14 08:53
浏览 473


I am using "database/sql" package in GO. I want to create a table of variable name.

Only way I can think of is-

db.Exec(`CREATE TABLE`+table_name+`;`)

But it is not safe as there can be SQL injection.

图片转代码服务由CSDN问答提供 功能建议

我在GO中使用“ database / sql”包。 我想创建一个变量名表。


  db.Exec(`CREATE TABLE  '+ table_name +`;`)


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • dsnhalq37505 2017-12-14 09:01

    I don't code in GO, but this would probably be safe for injection:

    tx.Prepare(`do $$ begin execute format($f$create table %I()$f$,$1); end; $$;`)

    and then

    点赞 打赏 评论
  • dongli8979 2017-12-14 09:43

    Just use placeholders like:

    db.Exec("CREATE TABLE $1", "table_name")


    With most development platforms, parameterized statements that work with parameters can be used (sometimes called placeholders or bind variables) instead of embedding user input in the statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value.

    点赞 打赏 评论
  • douzhangkui2467 2017-12-14 15:13

    Its just like @Vao Tsun said:

    stmt, err := db.Prepare("CREATE TABLE $1")
    if err != nil {
    defer stmt.Close()
    result, err := stmt.Exec("DB_NAME_HERE")

    Go through the original documentation and look at their example as well for clear understanding.

    点赞 打赏 评论

相关推荐 更多相似问题