You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is OK because '?' In go code adds quotes around whole string which
different from you mysql console example. This isn't go specific
peculiarity. So I'd propose to rework your code.
On Jul 10, 2013 12:38 PM, "chenhao" notifications@github.com wrote:
go:
var sets []string =[]string{"0001","0004"}
rows, err := db.Query(SELECT set_id,set_name FROM sets where set_id in (?),
strings.Join(sets, ",")) [can't work]
in mysql workbench:
SELECT set_id,set_name FROM sets where set_id in ("0001","0004") [can work]
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/107
.
@meilihao@alexvizor Each ? represents exactly one value. It's impossible to bind multiple values to it this way.
Try this instead, which is equivalent to the mysql workbench query:
sets:= []string{"0001","0004"}
rows, err:=db.Query(
"SELECT set_id,set_name FROM sets where set_id in ('"+strings.Join(sets, "','") +"'"
)
But please be aware that @arnehormann's example is not injection safe. I'd recommend to set each value separately (one ? for each value) if possible.
You should be absolutely sure that the string slice only contains numeric values. Alternatively you could simply save them in a int slice, but this would make the query building a bit more complex.
Yes, my example is intended for a previously unknown number of strings provided by the developer and independent of user input. If the number of arguments is known, use the right amount of ?s. Don't open your code to SQL-injections. I probably should have added that in my comment.
Activity
alxzh commentedon Jul 10, 2013
This is OK because '?' In go code adds quotes around whole string which
different from you mysql console example. This isn't go specific
peculiarity. So I'd propose to rework your code.
On Jul 10, 2013 12:38 PM, "chenhao" notifications@github.com wrote:
arnehormann commentedon Jul 10, 2013
@meilihao @alexvizor Each
?
represents exactly one value. It's impossible to bind multiple values to it this way.Try this instead, which is equivalent to the mysql workbench query:
arnehormann commentedon Jul 10, 2013
@meilihao this still leaves one open issue: what is "no error" in the title?
None at all or an error you didn't understand? Did you check
err
?julienschmidt commentedon Jul 10, 2013
But please be aware that @arnehormann's example is not injection safe. I'd recommend to set each value separately (one
?
for each value) if possible.You should be absolutely sure that the string slice only contains numeric values. Alternatively you could simply save them in a int slice, but this would make the query building a bit more complex.
arnehormann commentedon Jul 10, 2013
Yes, my example is intended for a previously unknown number of strings provided by the developer and independent of user input. If the number of arguments is known, use the right amount of
?
s. Don't open your code to SQL-injections. I probably should have added that in my comment.?
with slices #176