How do you use URL.Query().Get() to fill in a SELECT statement using Golang

huangapple go评论96阅读模式
英文:

How do you use URL.Query().Get() to fill in a SELECT statement using Golang

问题

func startHandler(w http.ResponseWriter, r *http.Request) {
    conn_str := dbuser + ":" + dbpass + "@tcp(" + dbhost + ":" + dbport + ")/" + dbdb
    log.Println(conn_str)

    db, err := sql.Open("mysql", conn_str)
    if err != nil {
        log.Println("DB Error - Unable to connect:", err)
    }
    defer db.Close()

    table := r.URL.Query().Get("table")

    rows, _ := db.Query("SELECT * FROM "+ table) // 从表中选择所有列
    cols, _ := rows.Columns()

    fmt.Fprintf(w, "%s\n", cols)
}

当我尝试这样做时,它没有填充我从网站输入的值。如果我在终端中使用log.Println(table),它会显示出来。但它不会显示在网站上,也不会填充到选择语句中的表中...

英文:
func startHandler(w http.ResponseWriter, r *http.Request) {
	conn_str := dbuser + ":" + dbpass + "@tcp(" + dbhost + ":" + dbport + ")/" + dbdb
	log.Println(conn_str)

	db, err := sql.Open("mysql", conn_str)
	if err != nil {
		log.Println("DB Error - Unable to connect:", err)
	}
	defer db.Close()

	table := r.URL.Query().Get("table")

	
		rows, _ := db.Query("SELECT * FROM "+ table) //selects all columns from table
		cols, _ := rows.Columns()

		fmt.Fprintf(w, "%s\n", cols)

When i try this, it does not fill in the value that i entered from my website. If i log.Println(table) it does show in my terminal. But it will not display on website or fill in the select statement with table...

答案1

得分: 1

假设你是从API调用这个函数,有几件事情我会补充说明,而且不要使用通配符(*)选择。

编辑:我想我可能误解了你的问题,我会看看是否能给出更好的答案。

你是说你有一个表的打印值,但是没有来自数据库的响应?其他评论者是正确的,不要使用"_",而是获取一个真正的错误并使用fmt.Println(err.Error())。

编辑2:@jub0bs提出的另一个很好的观点是,这是一个巨大的漏洞。Go非常支持这一点,允许你这样做:

db.Query("SELECT * FROM ?", table)

而不是你目前的做法。

我刚刚运行了以下代码:

results, err := publicDB.Query("SELECT * FROM "+r.URL.Query().Get("name")) + " LIMIT 1"
	if err != nil {
		fmt.Println(err.Error())
	}
	for results.Next() {
		fmt.Println(results.Columns())
	}

它运行成功了。我调用的URL是www.mysite.com/endpoint?name=tablename。

英文:

Assuming you are calling this from an API, there a few things I would add, not mention avoiding wildcard (*) selects.

EDIT: I think I may have misunderstood your question, I will see if I can give a better answer.

You're saying that you have a printed value for table, but no response from the DB? Other commentor is correct, instead of "_", get a real error and fmt.Println(err.Error()).

EDIT 2: Another good point made by @jub0bs is that this is a huge vulnerability. Go supports this very well by allowing you to do:

db.Query("SELECT * FROM ?",table)

instead of what you have currently.

I just ran the following code:

results,err := publicDB.Query("SELECT * FROM "+r.URL.Query().Get("name"))+" LIMIT 1"
	if err != nil {
		fmt.Println(err.Error())
	}
	for results.Next(){
		fmt.Println(results.Columns())
	}

and it worked. I called the URL www.mysite.com/endpoint?name=tablename

huangapple
  • 本文由 发表于 2021年6月17日 02:24:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/68008176.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定