sparshev
commented
1 year ago Found a nice library https://github.com/rqlite/sql which can parse only expression and return it without any additional statements. If it founds non-expression or sub-statement it will raise an error.
According to gorm if the user input is not a second argument to prepared statement - than it's an sql injection threat: https://gorm.io/docs/security.html#Query-Condition
Need to find out a better way to allow user to filter the data.