douli2876
douli2876
2017-12-14 08:53

在Golang中动态创建PostgreSQL表

I am using "database/sql" package in GO. I want to create a table of variable name.

Only way I can think of is-

db.Exec(`CREATE TABLE`+table_name+`;`)

But it is not safe as there can be SQL injection.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

3条回答

  • dsnhalq37505 dsnhalq37505 4年前

    I don't code in GO, but this would probably be safe for injection:

    tx.Prepare(`do $$ begin execute format($f$create table %I()$f$,$1); end; $$;`)
    

    and then

    stmt.Exec(table_name)
    
    点赞 评论 复制链接分享
  • douzhangkui2467 douzhangkui2467 4年前

    Its just like @Vao Tsun said:

    stmt, err := db.Prepare("CREATE TABLE $1")
    if err != nil {
        log.Fatal(err)
    }
    defer stmt.Close()
    
    result, err := stmt.Exec("DB_NAME_HERE")
    

    Go through the original documentation and look at their example as well for clear understanding.

    点赞 评论 复制链接分享
  • dongli8979 dongli8979 4年前

    Just use placeholders like:

    db.Exec("CREATE TABLE $1", "table_name")

    wikipedia:

    With most development platforms, parameterized statements that work with parameters can be used (sometimes called placeholders or bind variables) instead of embedding user input in the statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value.

    点赞 评论 复制链接分享