Cross-database prepared statement binding (like and where in) in Golang

Question

After reading many tutorials, I found that there are many ways to bind arguments on prepared statement in Go, some of them

SELECT * FROM bla WHERE x = ?col1          


        

Answer 1

What is the cross-database way to bind arguments?

With database/sql, there is none. Each database has its own way to represent parameter placeholders. The Go database/sql package does not provide any normalization facility for the prepared statements. Prepared statement texts are just passed to the underlying driver, and the driver typically just sends them unmodified to the database server (or library for embedded databases).

How to bind arguments for LIKE-statement correctly?

You can use parameter placeholders after a like statement and bind it as a string. For instance, you could write a prepared statement as:

SELECT a from bla WHERE b LIKE ?

Here is an example (error management handling omitted).

package main

import (
    "database/sql"
    "fmt"
    _ "github.com/go-sql-driver/mysql"
)

// > select * from bla ;
// +------+------+
// | a    | b    |
// +------+------+
// | toto | titi |
// | bobo | bibi |
// +------+------+

func main() {

    // Open connection
    db, err := sql.Open("mysql", "root:XXXXXXX@/test")
    if err != nil {
         panic(err.Error())  // proper error handling instead of panic in your app
    }
    defer db.Close()

    // Prepare statement for reading data
    stmtOut, err := db.Prepare("SELECT a FROM bla WHERE b LIKE ?")
    if err != nil {
        panic(err.Error()) // proper error handling instead of panic in your app
    }
    defer stmtOut.Close()

    var a string
    b := "bi%"    // LIKE 'bi%'
    err = stmtOut.QueryRow(b).Scan(&a)
    if err != nil {
        panic(err.Error()) // proper error handling instead of panic in your app
    }
    fmt.Printf("a = %s\n", a)
} 

Note that the % character is part of the bound string, not of the query text.

How to bind arguments for IN statement correctly?

None of the databases I know allows binding a list of parameters directly with a IN clause. This is not a limitation of database/sql or the drivers, but this is simply not supported by most database servers.

You have several ways to work the problem around:

• you can build a query with a fixed number of placeholders in the IN clause. Only bind the parameters you are provided with, and complete the other placeholders by the NULL value. If you have more values than the fixed number you have chosen, just execute the query several times. This is not extremely elegant, but it can be effective.

• you can build multiple queries with various number of placeholders. One query for IN ( ? ), a second query for IN (?, ?), a third for IN (?,?,?), etc ... Keep those prepared queries in a statement cache, and choose the right one at runtime depending on the number of input parameters. Note that it takes memory, and generally the maximum number of prepared statements is limited, so it cannot be used when the number of parameters is high.

• if the number of input parameters is high, insert them in a temporary table, and replace the query with the IN clause by a join with the temporary table. It is effective if you manage to perform the insertion in the temporary table in one roundtrip. With Go and database/sql, it is not convenient because there is no way to batch queries.

Each of these solutions has drawbacks. None of them is perfect.

Answer 2

I'm a newbie to Go but just to answer the first part:

First question, what is the cross-database way to bind arguments? (that works on any database)

If you use sqlx, which is a superset of the built-in sql package, then you should be able to use sqlx.DB.Rebind to achieve that.

Answer 3

I had this same question, and after reading the answers started to look for other solution on how to bind arguments for the IN statement.

Here is an example of what I did, not the most elegant solution, but works for me.

What I did was to create a select query with the parameters statically set on the query, and not using the bind feature at all.

It could be a good idea to sanitize the string that comes from the Marshal command, to be sure and safe, but I don't need it now.

package main

import (
    "database/sql"
    "encoding/json"
    "fmt"
    "log"

    _ "github.com/go-sql-driver/mysql"
)

type Result struct {
    Identifier string
    Enabled    bool
}

func main() {

    // Open connection
    db, err := sql.Open("mysql", "username:password@tcp(server-host)/my-database")
    if err != nil {
        panic(err.Error()) // proper error handling instead of panic in your app
    }
    defer db.Close()

    // this is an example of a variable list of IDs
    idList := []string{"ID1", "ID2", "ID3", "ID4", "ID5", "IDx"}

    // convert the list to a JSON string
    formatted, _ := json.Marshal(idList)

    // a JSON array starts and ends with '[]' respectivelly, so we replace them with '()'
    formatted[0] = '('
    formatted[len(formatted)-1] = ')'

    // create a static select query
    query := fmt.Sprintf("SELECT identifier, is_enabled FROM some_table WHERE identifier in %s", string(formatted))

    // prepare que query
    rows, err := db.Query(query)
    if err != nil {
        panic(err.Error()) // proper error handling instead of panic in your app
    }
    defer rows.Close()

    var result []Result
    // fetch rows
    for rows.Next() {
        var r0 Result
        if err := rows.Scan(&r0.Identifier, &r0.Enabled); err != nil {
            log.Fatal(err)
        }
        // append the row to the result
        result = append(result, r0)
    }
    if err := rows.Err(); err != nil {
        log.Fatal(err)
    }

    fmt.Printf("result = %v\n", result)
}