import "gopkg.in/pg.v3" type User struct { ID int64 Login string Password string IsActive bool CreatedAt time.Time Database Databaseinfo } type DatabaseInfo struct { DB *pg.DB } func (u *User) GetByName(login string) (*User, error) { _, err := u.Database.DB.QueryOne(u, `SELECT * FROM "user" WHERE login = ?;`, login) return u, err }

Did I understand correctly that the request unloads a virtual table, then weed out rows that do not contain login.

Questions:

 - Что означает символ '?' - Символ ';' означает конец строки - Строка login передается в '...login = ?;'
  • "?" - means a parameter in a parameterized query. A request is prepared on the server, called the prepared statement. Such a request may contain parameters. Then the values ​​of the parameters are transmitted to the server and the request is performed using these values ​​instead of "?". Those. similar to a function call with parameters. ";" standard sql query separator. login, as already mentioned above, is transmitted to the server as the value of the first (and only in this case) parameter. - Sergey

2 answers 2

I am not familiar with PostgreSQL, but in MySQL this query, I think, will work in a similar way.

Character ? in this case is the so-called placeholder. Placers are needed to protect against SQL injections, or at least for more convenient code organization. In its place, the value of the login variable will be substituted, which you passed as an argument to the u.Database.DB.QueryOne() method.

Symbol ; is not the end of the line, but the end of the SQL expression. A single line can contain several SQL queries, and a semicolon is used to separate them.

Did I understand correctly that the request unloads a virtual table, then weed out rows that do not contain login.

This request will unload all entries from the user table, where the login field corresponds to the value of the login variable.

  • It seems to me that "?" appeared long before the sql injection. And they were intended to perform the same query multiple times, but with different parameters. And the fact that using parameters you can avoid sql injections, for some reason guessed relatively recently. For early versions of php functions for working with sql, in principle, had no idea about queries with parameters. And for many adherents of php this still remains a mystery. - Sergey
  • Never put a semicolon in postgres. Maybe not so it is mandatory for him, or the driver automatically substitutes? I do not know, but there are grounds for doubting the statement of the mandatory semicolon. - Sergey
  • @Sergey most likely you are right, I read it in the docks for the sixth version of the DBMS. Delete the semicolon statement. - neluzhin
  • The user table contains a login column, so the sql query will search for a match by the fields from this column, right? - Tarakan
  • @Tarakan, apart from the fact that you made a mistake in the terminology, I think you understood everything correctly. - neluzhin
 SqlCommand command = new SqlCommand(); command.CommandText = $"SELECT * FROM user WHERE login = {login}";
  • The user table contains a login column, so the sql query will search for a match by the fields from this column, right? - Tarakan