Go想要这个SQL查询中的第二个参数。
我想在postgres中使用IN查找。
stmt, err := db.Prepare("SELECT * FROM awesome_table WHERE id= $1 AND other_field IN $2")
rows, err := stmt.Query(10, ???)
我真正想要的是什么:
SELECT * FROM awesome_table WHERE id=10 AND other_field IN (this, that);
答案 0 :(得分:40)
查询只需要使用varargs来替换sql中的params 所以,在你的例子中,你只会做
rows, err := stmt.Query(10)
说,你和你的第二个例子是动态的,然后你会做
stmt, err := db.Prepare("SELECT * FROM awesome_table WHERE id=$1 AND other_field IN ($2, $3)")
rows, err := stmt.Query(10,"this","that")
如果你有“IN”部分的变量args,你可以做(play)
package main
import "fmt"
import "strings"
func main() {
stuff := []interface{}{"this", "that", "otherthing"}
sql := "select * from foo where id=? and name in (?" + strings.Repeat(",?", len(stuff)-1) + ")"
fmt.Println("SQL:", sql)
args := []interface{}{10}
args = append(args, stuff...)
fakeExec(args...)
// This also works, but I think it's harder for folks to read
//fakeExec(append([]interface{}{10},stuff...)...)
}
func fakeExec(args ...interface{}) {
fmt.Println("Got:", args)
}
答案 1 :(得分:30)
看起来您可能正在使用pq driver。 pq最近通过pq.Array添加了Postgres特定的阵列支持(请参阅pull request 466)。你可以通过以下方式获得你想要的东西:
stmt, err := db.Prepare("SELECT * FROM awesome_table WHERE id= $1 AND other_field = ANY($2)")
rows, err := stmt.Query(10, pq.Array([]string{'this','that'})
我认为这会生成SQL:
SELECT * FROM awesome_table WHERE id=10 AND other_field = ANY('{"this", "that"}');
请注意,这会使用预先准备好的语句,因此应对输入进行清理。
答案 2 :(得分:17)
像我这样的人试图使用带查询的数组,这是一个简单的解决方案。
获取https://github.com/jmoiron/sqlx
ids := []int{1, 2, 3}
q,args,err := sqlx.In("SELECT id,username FROM users WHERE id IN(?);", ids) //creates the query string and arguments
//you should check for errors of course
q = sqlx.Rebind(sqlx.DOLLAR,q) //only if postgres
rows, err := db.Query(q,args...) //use normal POSTGRES/ANY SQL driver important to include the '...' after the Slice(array)
答案 3 :(得分:11)
至少使用PostgreSQL,您可以选择使用单个占位符将整个数组作为字符串传递:
db.Query("select 1 = any($1::integer[])", "{1,2,3}")
这样,您可以使用单个查询字符串,并且所有字符串连接都限制在参数中。如果参数格式错误,则不会获得SQL注入;你得到的结果如下:错误:整数的输入语法无效:“xyz”
https://groups.google.com/d/msg/golang-nuts/vHbg09g7s2I/RKU7XsO25SIJ
答案 4 :(得分:1)
如果使用sqlx,则可以采用以下方式: https://github.com/jmoiron/sqlx/issues/346
arr := []string{"this", "that"}
query, args, err := sqlx.In("SELECT * FROM awesome_table WHERE id=10 AND other_field IN (?)", arr)
query = db.Rebind(query) // sqlx.In returns queries with the `?` bindvar, rebind it here for matching the database in used (e.g. postgre, oracle etc, can skip it if you use mysql)
rows, err := db.Query(query, args...)
答案 5 :(得分:0)
//I tried a different way. A simpler and easier way, maybe not too efficient.
stringedIDs := fmt.Sprintf("%v", ids)
stringedIDs = stringedIDs[1 : len(stringedIDs)-1]
stringedIDs = strings.ReplaceAll(stringedIDs, " ", ",")
query := "SELECT * FROM users WHERE id IN (" + stringedIDs + ")"
//Then follow your standard database/sql Query
rows, err := db.Query(query)
//error checking
if err != nil {
// Handle errors
} else {
// Process rows
}
答案 6 :(得分:-1)
您也可以使用此直接转换。
awesome_id_list := []int{3,5,8}
var str string
for _, value := range awesome_id_list {
str += strconv.Itoa(value) + ","
}
query := "SELECT * FROM awesome_table WHERE id IN (" + str[:len(str)-1] + ")"
警告
这种方法很容易受到SQL注入攻击。仅在服务器生成awesome_id_list时才使用此方法。
答案 7 :(得分:-1)
相当行人,仅在服务器生成时使用。其中UserID是字符串的切片(列表):
sqlc := `select count(*) from test.Logins where UserID
in ("` + strings.Join(UserIDs,`","`) + `")`
errc := db.QueryRow(sqlc).Scan(&Logins)