您的位置: 首页  >  技术问答  >  在使用“数据库/SQL"时如何在Go中防止SQL注入攻击?

在使用“数据库/SQL"时如何在Go中防止SQL注入攻击?

分类: 技术问答 2022-04-24 18:15:07
问题描述:

构建我的第一个网络应用,并希望更好地理解SQL注入(

Building my first web-app and want to understand SQL injection better (https://github.com/astaxie/build-web-application-with-golang/blob/master/en/eBook/09.4.md).

仅通过始终使用数据库/sql"库并使用?"构造查询,我可以获得多少防止SQL注入的保护?而不是包容字符串?在这种情况下,我仍然需要担心哪种SQL注入攻击?

How much protection against SQL injection do I get from just always using the 'database/sql' library and constructing queries using '?' instead of concatting strings? What kind of SQL injection attacks will I still have to worry about in that case?

只要您正在使用准备查询,您就很安全

As long as you're using Prepare or Query, you're safe.

// this is safe
db.Query("SELECT name FROM users WHERE age=?", req.FormValue("age"))
// this allows sql injection.
db.Query("SELECT name FROM users WHERE age=" + req.FormValue("age"))

相关推荐