Jayleonc
commented
1 year ago 想请教一下,如果需要select * from (select t.id from time t left join user u on u.id = t.id and o.state = 0 left join role r on r.id = u.id),这时候,还需要做参数查询,不使用拼接的话,如何处理?
Open wangbjun opened 2 years ago
Jayleonc
commented
1 year ago 想请教一下,如果需要select * from (select t.id from time t left join user u on u.id = t.id and o.state = 0 left join role r on r.id = u.id),这时候,还需要做参数查询,不使用拼接的话,如何处理?
https://wangbjun.site/2022/coding/golang/sprintf-sql-inject.html
说到代码安全,虽然很多时候大家都不当回事,只要实现业务功能就行了,但是一旦出现安全问题都不是小事,突然想起来之前项目有很多类似的写法: 1234567891011sql := "select * from xxx where 1=1"if name != "" { sql += fmt.Sprintf(" and name = '%s'", name)}if addres