search

doug-martin / goqu

SQL builder and query library for golang
http://doug-martin.github.io/goqu/
MIT License
2.37k stars 207 forks source link

Producing an Anti Injection Query #383

Closed confusionhill closed 1 year ago

confusionhill commented 1 year ago

Hello, i am currently using SQLX for my SQL Client and I wanted to produce a query like this

SELECT * FROM "table_name" WHERE id = $1 because I trust SQLX for the sanitation (anti SQL Injection)

instead of producing a query like that, the generator generate this

SELECT * FROM "table_name" WHERE ("id" = '1')

the value have been injected into the query, I am no security expert but I am not with the query security"

are there a way to generate query like that? thank you

I know that toSQL() method returns query, params, and error but mine does not return any other than query

my implementation

query := builder.From("table_name").Where(goqu.C("id").Eq("1")).
        Select("*")

    // Generate the SQL and parameters
    sql, params, _ := query.ToSQL()

    fmt.Println("Generated SQL:", sql)
    fmt.Println("Parameters:", params)
francistm commented 1 year ago

should be something like query.Prepared(true).ToSQL() right