I use the following package for working with databases: https://github.com/ziutek/mymysql

There is such a function:

func new_query(Query string) { db := mysql.New("tcp", "", "127.0.0.1:3306", "root", "12345", "test") err := db.Connect() defer db.Close() if err != nil { log.Println("Не удалось подключиться к базе данных") return } stmt, err := db.Prepare(Query) _, err = stmt.Run() if err != nil { log.Println("Не удалось выполнить запрос") return } }

There is a code on golang:

 Name string="Название" CreatedBy int=777 query string ="insert into table(Name,CreatedBy) values (?,?)" //???? new_query(query)

I need to get query ="insert into table(Name,CreatedBy) values ("Название",777)" I tried to substitute %s , but I won’t figure it out. The official site suggests first doing stmt, err := db.Prepare("insert into X values (?, ?)") , But I want to make a universal function that you give sql text, and it performs it. And here, in fact, there is no db.Prepare - I just passed the text, which can be with sql injection ...

If you pass a request to the function ("with inserts", where will it be necessary to substitute) and an array with parameters, but each request can have its own number of parameters - how can I iterate through them?

And also, is it possible with the help of regular expressions to somehow remove special characters from string type or to somehow escape it, that there would not be sql injections?

Something seems to me at all, I reinvent the wheel)))

    1 answer 1

    Something like this (I do not have MySQL, so I can’t check if there are errors, drop it here, I’ll figure it out):

     func new_query(Query string, args ...interface{}) { db := mysql.New("tcp", "", "127.0.0.1:3306", "root", "12345", "test") err := db.Connect() if err != nil { log.Println("Не удалось подключиться к базе данных") return } defer db.Close() stmt, err := db.Prepare(Query) _, err = stmt.Run(args...) if err != nil { log.Println("Не удалось выполнить запрос") return } }

    Using:

     Name := "Название" CreatedBy := 777 query := "insert into table(Name,CreatedBy) values (?,?)" new_query(query, Name, CreatedBy)

    In general, for working with relational databases there is a certain analogue of ORM : gore .

    • Writes syntax error: unexpected name, expecting semicolon or newline or} - Rakzin Roman
    • Still, a little off topic. You wrote that there is no MySQL at the moment or you are not using it? If you use NoSql, I just want to study NoSql, and then many people write that it is faster, but there are no sql queries and complex samples, and is it worth it? - Rakzin Roman
    • 2
      @TwoRS, you would say at least in which line. I did not find any errors in the function itself. Found in the string query string ="insert into table(Name,CreatedBy) values (?,?)" In the usage example, which I did not look at, I copied from you. Corrected on how it should be. - Vadim Shender
    • one
      @TwoRS, I do not use MySQL long ago; I currently use PostgreSQL as a relational database, and of the so-called NoSQL I now actively use Redis only. You need to clearly understand what this or that database gives, and why it is good. Each task has its own tools, NoSQL is not a panacea-a complete replacement of relational databases, and whether any NoSQL database is right for your task is up to you. - Vadim Shender 5:09
    • Thank. It worked. But first, I didn’t carelessly move the insert into table ... request, and the table in the database is not there — and the server crashed with many lines of expletives. Why this error was not processed error-e? This is certainly vryatli be, because I will check everything before compilation, but still - how to handle this option? - Rakzin Roman