stackoom
  简体   繁体   中英

How correctly pass arguments to the SQL request via the sqlx package in Golang?

 原文  2021-04-07 08:23:58       sql/ postgresql/ go

Question

In my Golang (1.15) application I use sqlx package to work with the PostgreSQL database (PostgreSQL 12.5).

When I try to execute SQL statement with arguments PostgreSQL database it raises an error:

ERROR: could not determine data type of parameter $1 (SQLSTATE 42P18): PgError null

According to the official documentation , this error means that an INDETERMINATE DATATYPE was passed.

The organizationId has value. It's not null/nil or empty. Also, its data type is a simple built-in data type *string .

Code snippet with Query method :

rows, err := cr.db.Query(`
    select
        channels.channel_id::text,
        channels.channel_name::text
    from
        channels
    left join organizations on
        channels.organization_id = organizations.organization_id
    where
        organizations.tree_organization_id like concat( '%', '\', $1, '%' );`, *organizationId)

if err != nil {
    fmt.Println(err)
}

I also tried to use NamedQuery but it also raise error:

ERROR: syntax error at or near ":" (SQLSTATE 42601): PgError null

Code snippet with NamedQuery method :

args := map[string]interface{}{"organization_id": *organizationId}

rows, err := cr.db.NamedQuery(`
    select
        channels.channel_id::text,
        channels.channel_name::text
    from
        channels
    left join organizations on
        channels.organization_id = organizations.organization_id
    where
        organizations.tree_organization_id like concat( '%', '\', :organization_id, '%' );`, args)

if err != nil {
    fmt.Println(err)
}

In all likelihood, the arguments is not passed correctly to my request. Can someone explain how to fix this strange behavior?

PS I must say right away that I do not want to form an sql query through concatenation , or through the fmt.Sprintf method. It's not safe.

1 answers

solution1
 1 ACCPTED  2021-04-07 09:05:18

Well, I found the solution of this problem.

I found the discussion in github repository of the sqlx package.

In the first option , we can make concatenation of our search string outside of the query. This should still be safe from injection attacks.

The second choice to try this: concat( '%', '\', $1::text, '%' ) . As Bjarni Ragnarsson said in the comment, PostgreSQL cannot deduce the type of $1 .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Postgresql golang sqlx package query BEGIN IMMEDIATE in sqlx or database/sql (golang)? How to run pure sql in sqlx How to embed SQLX results in HTML using GO (golang) Pass arguments to a sql file via command line arguments in shell script How to execute SSIS package from SQL Server stored procedure and pass arguments How to set sql request correctly? How do I translate an SQL statement to use in an sqlx API call? how to install a package in golang golang sql.open() expects 0 arguments got 1
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM