mysql - Prevent SQL injection -
question 1:
i have below mysql query works fine i've discovered not safe approach open sql injection. can see clause issue if wanted pass argument.
_, err := dbmap.select(&response.appsdata, "select...", ?) any advice appriciated.
where := "" := 0; < (len(acl_user_apps)); i++ { fmt.println(acl_user_apps[i].appid) fmt.println(acl_user_apps[i].permissions) if == "" { = "where apps.id=" + strconv.itoa(acl_user_apps[i].appid) } else { = + " or apps.id=" + strconv.itoa(acl_user_apps[i].appid) } } query := "select apps.*, group_concat(distinct ifnull(appcategorymatches.category_id,'-1') separator ',') temp, group_concat(distinct ifnull(appcategories.category_name,'-1') separator ',') tmp_name apps left join appcategorymatches on appcategorymatches.app_id=apps.id left join appcategories on (appcategorymatches.`category_id` = appcategories.id) " + + " group apps.id order " + sort_by + " " + order_by + " limit " + limit + " offset " + offset) _, err := dbmap.select(&response.appsdata,query) question 2: wondering if has ever had issues passing order argument...
_, err := dbmap.select(&response.appsdata, "select apps.*, group_concat(distinct ifnull(appcategorymatches.category_id,'-1') separator ',') temp, group_concat(distinct ifnull(appcategories.category_name,'-1') separator ',') tmp_name apps left join appcategorymatches on appcategorymatches.app_id=apps.id left join appcategories on (appcategorymatches.category_id = appcategories.id) group apps.id order ?", "title") this order simplest thing ever... why isnt working?
you absolutely don't want "escaping" strings on own, nor concatenating strings make queries.
go's
database/sql(http://golang.org/pkg/database/sql/) package supports parameterised queries default - e.g.db.query("select * users id=? , active=?", id, userstatus)-?acts placeholder mysql handle variables.you can (in combination parameterised queries) use query builder mgutz/dat can if you're not great @ writing raw sql. package or sqlx helps pack/unpack queries to/from structs or maps in application.
there's great guide in tutorial using go's database package. highly suggest reading it.
Comments
Post a Comment