search

lib / pq

Pure Go Postgres driver for database/sql
https://pkg.go.dev/github.com/lib/pq
MIT License
9.01k stars 910 forks source link

db.Query does not always expand the parameter #953

Closed graywolf-at-work closed 4 years ago

graywolf-at-work commented 4 years ago

What version of Go are you using (go version)?

$ go version
go version go1.14 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
+:( $ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/wolf/.cache/go-build"
GOENV="/home/wolf/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY="go.showmax.cc"
GONOSUMDB="go.showmax.cc"
GOOS="linux"
GOPATH="/home/wolf/go"
GOPRIVATE="go.showmax.cc"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/wolf/tmp/trigger_test/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build944301925=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Using the pq adapter (github.com/lib/pq) and database/sql I've tried dropping a table:

_, err := db.Query("DROP TABLE $1", "test")
if err != nil {
panic(err)
}

Documentation ( https://godoc.org/database/sql#DB.Query ) does not suggested that this should not work.

What did you expect to see?

panic: pq: table "test" does not exist

What did you see instead?

panic: pq: syntax error at or near "$"
akshayjshah commented 4 years ago

The DB.Query documentation says, "The args are for any placeholder parameters in the query." In SQL, "placeholder parameters" are placeholders for data, not commands (SELECT, UDPATE, etc.) or identifiers (table name, index name, column name, etc.) -- they're not a mechanism for arbitrary text replacement.

In your example, $1 is taking the place of an identifier: the table name. That's not allowed, so you're getting a syntax error.

I'm just an observer here, not one of maintainers, but I thought I'd jump in -- this has tripped me up in the past too :)

graywolf-at-work commented 4 years ago

What @akshayjshah said makes sense :/