我可以在Go中参数化create语句吗?
Using the Go SQL library we can create SELECT, INSERT, UPDATE and DELETE statements with parameters like this:
db.Query("SELECT * FROM database.table WHERE param = ?", param_value)
I want to create tables from user provided input that describes the table structure, users will be asked for the name of the table and the name and type of each column they want to create. However, building a CREATE statement in the query interface Creating a CREATE statement by concatenating strings together works, but that's a SQL injection attack waiting to happen.
Is there a way to parameterize CREATE statements using the Go SQL library?
使用Go SQL库,我们可以使用以下参数创建SELECT,INSERT,UPDATE和DELETE语句: p >
db.Query(“ SELECT * FROM database.table WHERE param =?”,param_value)
code> pre>
根据用户提供的描述表结构的输入创建表,系统将要求用户提供表名称以及要创建的每个列的名称和类型。 但是,在查询接口中构建CREATE语句通过将字符串串联在一起来创建CREATE语句是可行的,但这是SQL注入攻击的等待。 p>
是否可以使用Go SQL库对CREATE语句进行参数化? p>
div>
SQL query parameters take the place of a scalar value only.
That is, you can use a parameter to substitute only where you would otherwise use a constant quoted string, constant quoted date/time, or constant numeric.
SQL query parameters can't be used for:
- Table names, column names, or other identifiers
- SQL expressions
- Lists of scalar values (like in an
IN(...)predicate) - SQL keywords
The proper way to write your app that takes user input which describes table structure is to interpret the user input as a guide, not as literal SQL syntax. Avoid passing user input (or any unsafe content) through to be executed as part of any SQL statement.