Sample code
SQL
SELECT *
FROM users
WHERE id IN /*% in "ids" %*/(1, 2)
AND name = /*% p "name" %*/'John Doe'
/*%- if get "onlyMale" %*/
AND sex = 'MALE'
/*%- end %*/
ORDER BY /*% out "order" %*/id
ྫ1ʣύϥϝʔλͷׂ
SELECT * FROM users
WHERE name LIKE /*% infix "name" %*/'John Doe'
/*% if get "available" %*/
AND status = /*% in "stats" %*/(NULL)
/*% end %*/
/*% if get "email" %*/
AND email = /*% p "email" %*/'[email protected]'
/*% end %*/
ྫ2ʣIN ۟ʹ͓͚ΔεϥΠεͷల։
΄ͱΜͲͷ database/sql ͷυϥΠό WHERE id IN $1 ʹ
ରͯ͠εϥΠεΛͯ͠ల։͠ͳ͍ɻ
Slide 29
Slide 29 text
ྫ3ʣΤεέʔϓॲཧͨ͠ύϥϝʔλ͕
ඞཁ
SELECT id
, name
, name = /*% out "name" %*/'John' AS matched
FROM users
WHERE name LIKE /*% infix "name" %*/'John'
ORDER BY matched DESC, name
Slide 30
Slide 30 text
ྫ3ʣΤεέʔϓॲཧͨ͠ύϥϝʔλ͕
ඞཁ
ಉ͡ name ύϥϝʔλΛར༻͍ͯ͠Δ͕ɺ1ͭΊͦͷ··Ͱ͍
͍ͷʹର͠ɺ2ͭΊ LIKE ͷରʹ͢ΔͨΊ % _ ΛΤεέ
ʔϓ͕ͨ͠ඞཁɻ
೦ͳ͕Β
type Form struct {
Name string
}
st := sqlt.New(sqlt.Postgres)
query, args, err := st.Exec(s, map[string]interface{}{
"form": Form{Name: "' OR 1 = 1;"},
})
Slide 37
Slide 37 text
͜Μͳίʔυ͕
SELECT *
FROM users
/*%- $f := get "form" %*/
WHERE name = '/*% $f.Name %*/'
Slide 38
Slide 38 text
͔͚ͯ͠·͏
SELECT *
FROM users
WHERE name = '' OR 1 = 1;
Slide 39
Slide 39 text
range Ͱ
type V struct {
Value string
}
st := sqlt.New(sqlt.Postgres)
query, args, err := st.Exec(s, map[string]interface{}{
"values": []V{
V{"' OR 1 = 1;"},
V{"foo"},
V{"bar"},
},
})
Slide 40
Slide 40 text
ॻ͚ͯ͠·͏
SELECT * FROM users
WHERE (
/*%- range $i, $v := get "values" %*/
/*%- if ne $i 0 %*/ OR /*% end %*/
name = '/*% $v.Value %*/'
/*%- end %*/
)
Slide 41
Slide 41 text
ͪͳΈʹ
SELECT * FROM users
WHERE (
/*%- range $i, $v := get "values" %*/
/*%- if ne $i 0 %*/ OR /*% end %*/
name = /*% p (name "values" $i "Value") %*/''
/*%- end %*/
)
҆શʹॻ͘ํ๏ఏڙ͍ͯ͠Δɻ