douyi2664 2015-06-27 22:59
浏览 89
已采纳

如何参数化运算符?

I have the following sql statement:

SELECT pk, up FROM mytable WHERE 2 > 1 LIMIT 10

This is just for simplicity, obviously. I am able to parameterize any of the integers:

SELECT pk, up FROM mytable WHERE 2 > $1 LIMIT 10

BUT, when I try to parameterize the operator, eg:

SELECT pk, up FROM mytable WHERE 2 $1 1 LIMIT 10

I get:

pq: syntax error at or near "$1"

Full Code:

package main

import (
    "database/sql"
    _ "github.com/lib/pq"
    "log"
)

func main() {
    log.SetFlags(log.Lshortfile)
    Db, err := sql.Open("postgres", "user=yoitsmeletmein password=supersecretyo host=what.a.host dbname=mydb sslmode=require")
    if err != nil {
        log.Fatal("Cannot connect to db: ", err)
    }
    q := `SELECT pk FROM mytable WHERE 2 $1 1 LIMIT 10`
    params := []interface{}{">"}
    rows, err := Db.Query(q, params...)
    if err != nil {
        log.Println(err)
    } else {
        defer rows.Close()
        for rows.Next() {
            var pk int64
            if err := rows.Scan(&pk); err != nil {
                log.Fatal(err)
            }
            log.Println(pk)
        }
    }

}
  • 写回答

1条回答 默认 最新

  • dpf5207 2015-06-27 23:18
    关注

    Prepared statements allow to parametrize values, nothing else. It wouldn't make sense to parametrize operators to begin with, a statement cannot be prepared without knowing involved operators. And it would be potentially dangerous, opening vectors for SQL injection.

    To switch operators, you'll have to concatenate a new query string in your client or use dynamic SQL with a server-side procedural language, the default being plpgsql.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 chaquopy python 安卓
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 有没有帮写代码做实验仿真的
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥30 vmware exsi重置后登不上
  • ¥15 易盾点选的cb参数怎么解啊
  • ¥15 MATLAB运行显示错误,如何解决?
  • ¥15 c++头文件不能识别CDialog
  • ¥15 Excel发现不可读取的内容
  • ¥15 关于#stm32#的问题:CANOpen的PDO同步传输问题