-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
InterpolateForDialect("SHOW CREATE TABLE ?;"...)
produces invalid MySQL statement
#254
Comments
you should use |
Can you give an example of that? I tried this, but in the generated query, dbr.InterpolateForDialect("SHOW CREATE TABLE ?;", []interface{}{dbr.I("foo")}, dialect.MySQL) |
package main
import (
"fmt"
"github.com/gocraft/dbr/dialect"
"github.com/gocraft/dbr/v2"
)
func main() {
fmt.Println(dbr.InterpolateForDialect("SHOW CREATE TABLE ?;", []interface{}{dbr.I("foo")}, dialect.MySQL))
}
dbr.I will now quote with tick. |
Ah, thank you so much, I didn't notice that using Can this approach be documented somewhere? This information is necessary for using the function, but isn't very discoverable. |
yes.
it is there. this issue is helpful for future :) dbr.I is just a proxy to quoteident, which is used in almost every places. |
Thanks for that pointer. I'm looking in the examples, but not finding this other case: is there a way to invoke |
|
Repro code:
Sandbox link showing this execution: https://go.dev/play/p/QGDpepYMCfM
The above code produces the following MySQL statement:
SHOW CREATE TABLE 'foo';
.This MySQL statement is not valid, because MySQL is not expecting
'
(quotes) around the table name. MySQL docs in question.Is there a way to invoke
InterpolateForDialect
in such a way that we can get the injection protection, but avoid quoting a particular parameter? Should we be using a different method entirely?The text was updated successfully, but these errors were encountered: