Go想要这个SQL查询中的第二个参数.我试图IN
在postgres中使用查找.
stmt, err := db.Prepare("SELECT * FROM awesome_table WHERE id= $1 AND other_field IN $2") rows, err := stmt.Query(10, ???)
我真正想要的是:
SELECT * FROM awesome_table WHERE id=10 AND other_field IN (this, that);
David Budwor.. 41
查询只需要使用varargs来替换你的sql中的params,所以在你的例子中,你会这样做
rows, err := stmt.Query(10)
比如说,你和你的第二个例子是动态的,那么你就做了
stmt, err := db.Prepare("SELECT * FROM awesome_table WHERE id=$1 AND other_field IN ($2, $3)") rows, err := stmt.Query(10,"this","that")
如果你有"IN"部分的变量args,你可以做(播放)
package main import "fmt" import "strings" func main() { stuff := []interface{}{"this", "that", "otherthing"} sql := "select * from foo where id=? and name in (?" + strings.Repeat(",?", len(stuff)-1) + ")" fmt.Println("SQL:", sql) args := []interface{}{10} args = append(args, stuff...) fakeExec(args...) // This also works, but I think it's harder for folks to read //fakeExec(append([]interface{}{10},stuff...)...) } func fakeExec(args ...interface{}) { fmt.Println("Got:", args) }
所以我明白了,这会奏效.我想我期待sql驱动程序将切片或其他东西转换为适当的东西.例如:```stmt,err:= db.Prepare("SELECT*FROM awesome_table WHERE id = $ 1 AND other_field IN $ 2")``````args:= [] int {1,3,4,5} ``````rows,err:= stmt.Query(10,args)``` (5认同)
如果in子句中有不同数量的项目怎么办? (4认同)
Pete.. 35
看起来你可能正在使用pq驱动程序. pq
最近通过pq.Array添加了Postgres特定的阵列支持(参见pull请求466).您可以通过以下方式获得所需内容:
stmt, err := db.Prepare("SELECT * FROM awesome_table WHERE id= $1 AND other_field = ANY($2)") rows, err := stmt.Query(10, pq.Array([]string{'this','that'})
我认为这会生成SQL:
SELECT * FROM awesome_table WHERE id=10 AND other_field = ANY('{"this", "that"}');
请注意,这会使用预先准备好的语句,因此应对输入进行清理.
查询只需要使用varargs来替换你的sql中的params,所以在你的例子中,你会这样做
rows, err := stmt.Query(10)
比如说,你和你的第二个例子是动态的,那么你就做了
stmt, err := db.Prepare("SELECT * FROM awesome_table WHERE id=$1 AND other_field IN ($2, $3)") rows, err := stmt.Query(10,"this","that")
如果你有"IN"部分的变量args,你可以做(播放)
package main import "fmt" import "strings" func main() { stuff := []interface{}{"this", "that", "otherthing"} sql := "select * from foo where id=? and name in (?" + strings.Repeat(",?", len(stuff)-1) + ")" fmt.Println("SQL:", sql) args := []interface{}{10} args = append(args, stuff...) fakeExec(args...) // This also works, but I think it's harder for folks to read //fakeExec(append([]interface{}{10},stuff...)...) } func fakeExec(args ...interface{}) { fmt.Println("Got:", args) }
看起来你可能正在使用pq驱动程序. pq
最近通过pq.Array添加了Postgres特定的阵列支持(参见pull请求466).您可以通过以下方式获得所需内容:
stmt, err := db.Prepare("SELECT * FROM awesome_table WHERE id= $1 AND other_field = ANY($2)") rows, err := stmt.Query(10, pq.Array([]string{'this','that'})
我认为这会生成SQL:
SELECT * FROM awesome_table WHERE id=10 AND other_field = ANY('{"this", "that"}');
请注意,这会使用预先准备好的语句,因此应对输入进行清理.
像我这样的人试图使用带查询的数组,这是一个简单的解决方案.
获取https://github.com/jmoiron/sqlx
ids := []int{1, 2, 3} q,args,err := sqlx.In("SELECT id,username FROM users WHERE id IN(?);", ids) //creates the query string and arguments //you should check for errors of course q = sqlx.Rebind(sqlx.DOLLAR,q) //only if postgres rows, err := db.Query(q,args...) //use normal POSTGRES/ANY SQL driver important to include the '...' after the Slice(array)
至少使用PostgreSQL,您可以使用单个占位符将整个数组作为字符串传递:
db.Query("select 1 = any($1::integer[])", "{1,2,3}")
这样,您可以使用单个查询字符串,并且所有字符串连接都仅限于参数.如果参数格式错误,则不会获得SQL注入; 你得到的结果如下:错误:整数的输入语法无效:"xyz"
https://groups.google.com/d/msg/golang-nuts/vHbg09g7s2I/RKU7XsO25SIJ