Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

%s is not safe with quotes #95

Open
alexions opened this issue Mar 28, 2014 · 3 comments
Open

%s is not safe with quotes #95

alexions opened this issue Mar 28, 2014 · 3 comments

Comments

@alexions
Copy link

Maybe I missed some information, but if string contains a quote, you will get a fatal error

login := "hack"er"
db.Query("SELECT * FROM users WHERE login = "?s"", login)

Received #1064 error from MySQL server: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"er' at line 1"

How can I safely insert any strings?
@ziutek
Copy link
Owner

ziutek commented Mar 28, 2014

Use Conn.Escape method or better use prepared statement.

@alexions
Copy link
Author

Thank you, it's work fine. But why it cannot be done "automatically" for all of %s placeholders?

@ziutek
Copy link
Owner

ziutek commented Mar 31, 2014

db.Query performs string query. It doesn't parse any format string and knows nothing about placeholders. It simply pass its arguments to fmt.Sprintf (in very old version you need to do this manually).

I strongly recommend use prepared statements for queries that need some arguments. It is safer than perform text query. Nowadays, text queries should be used only for very simple queries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ziutek @alexions