问题
How can I prevent SQL injection attacks in Go while using "database/sql"?
This solves the single value field problem because you can remove the quotes, but I can't do that filtering a JSON/JSONB field, like in the following because the $1
is considered a string:
`SELECT * FROM foo WHERE bar @> '{"baz": "$1"}'`
The following works but it's prone to SQL Injection:
`SELECT * FROM foo WHERE bar @> '{"baz": "` + "qux" + `"}'`
How do I solve this?
EDITED after @mkopriva's comment:
How would I build this json [{"foo": $1}]
with the jsonb_*
functions? Tried the below without success:
jsonb_build_array(0, jsonb_build_object('foo', $1::text))::jsonb
There's no sql error. The filter just doesn't work. There's a way that I can check the builded sql? I'm using the database/sql
native lib.
回答1:
Is this what you're looking for?
type MyStruct struct {
Baz string
}
func main() {
db, err := sql.Open("postgres", "postgres://...")
if err != nil {
log.Panic(err)
}
s := MyStruct{
Baz: "qux",
}
val, _ := json.Marshal(s)
if err != nil {
log.Panic(err)
}
if _, err := db.Exec("SELECT * FROM foo WHERE bar @> ?", val); err != nil {
log.Panic(err)
}
}
As a side note, Exec
isn't for retrieval (although I kept it for you so the solution would match your example). Check out db.Query
(Fantastic tutorial here: http://go-database-sql.org/retrieving.html)
来源:https://stackoverflow.com/questions/54117802/how-to-prevent-sql-injection-in-postgresql-json-jsonb-field