如何过滤URL参数的输入localhost: 8080/v1/数据/:id
我想用mysql_real_escape_string这样的过滤器Golang中id的参数不能用?因为这个过滤器是动态的,这个参数可以用也可以不用,比如
if status != "99" {
where = append(where, "vs.stats = '1'")
}
if cari != "" {
where = append(where, "(lm.title_member like '%"+cari+"%' OR " +
"lm.nama_member like '%"+cari+"%' )")
}
query := "select vs.*, lm.nama_member from volks_shift vs left join list_member lm on vs.id_m=lm.id_m where vs.id_s=?"
rows, err := s.DB.QueryContext(ctx, query, id_s)
和我想要安全的cari val,不使用?
在database/sql包中没有转义函数,请参阅相关问题#18478(并且在使用数据库抽象层时调用特定于mysql的函数也不太好)。
但是也不需要,因为您仍然可以在动态查询中使用?。只需与查询一起动态地构建查询参数,如下所示:
query := "SELECT vs.*, lm.nama_member" +
" FROM volks_shift vs LEFT JOIN list_member lm ON vs.id_m=lm.id_m" +
" WHERE vs.id_s=?"
params := []interface{}{id_s}
if status != "99" {
query += " AND vs.stats = '1'"
}
if cari != "" {
query += " AND (lm.title_member LIKE ? OR lm.nama_member LIKE ?)"
params = append(params, "%"+cari+"%", "%"+cari+"%")
}
rows, err := s.DB.QueryContext(ctx, query, params...)