1.2 SQL操作

1.2.1【必须】SQL语句默认使用预编译并绑定变量

  • 使用database/sql的prepare、Query或使用GORM等ORM执行SQL操作
  1.   import (
  2.     "github.com/jinzhu/gorm"
  3.     _ "github.com/jinzhu/gorm/dialects/sqlite"
  4.   )
  6.   type Product struct {
  7.     gorm.Model
  8.     Code string
  9.     Price uint
  10.   }
  11.   ...
  12.   var product Product
  13.   db.First(&product, 1)
  • 使用参数化查询,禁止拼接SQL语句,另外对于传入参数用于order by或表名的需要通过校验
  1. // bad
  2.   import (
  3.       "database/sql"
  4.       "fmt"
  5.       "net/http"
  6.   )
  8.   func handler(db *sql.DB, req *http.Request) {
  9.       q := fmt.Sprintf("SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='%s' ORDER BY PRICE",
  10.           req.URL.Query()["category"])
  11.       db.Query(q)
  12.   }
  14. // good
  15. func handlerGood(db *sql.DB, req *http.Request) {
  16.     //使用?占位符
  17.       q := "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='?' ORDER BY PRICE"
  18.       db.Query(q, req.URL.Query()["category"])
  19. }