英文:
How do you use URL.Query().Get() to fill in a SELECT statement using Golang
问题
func startHandler(w http.ResponseWriter, r *http.Request) {
conn_str := dbuser + ":" + dbpass + "@tcp(" + dbhost + ":" + dbport + ")/" + dbdb
log.Println(conn_str)
db, err := sql.Open("mysql", conn_str)
if err != nil {
log.Println("DB Error - Unable to connect:", err)
}
defer db.Close()
table := r.URL.Query().Get("table")
rows, _ := db.Query("SELECT * FROM "+ table) // 从表中选择所有列
cols, _ := rows.Columns()
fmt.Fprintf(w, "%s\n", cols)
}
当我尝试这样做时,它没有填充我从网站输入的值。如果我在终端中使用log.Println(table),它会显示出来。但它不会显示在网站上,也不会填充到选择语句中的表中...
英文:
func startHandler(w http.ResponseWriter, r *http.Request) {
conn_str := dbuser + ":" + dbpass + "@tcp(" + dbhost + ":" + dbport + ")/" + dbdb
log.Println(conn_str)
db, err := sql.Open("mysql", conn_str)
if err != nil {
log.Println("DB Error - Unable to connect:", err)
}
defer db.Close()
table := r.URL.Query().Get("table")
rows, _ := db.Query("SELECT * FROM "+ table) //selects all columns from table
cols, _ := rows.Columns()
fmt.Fprintf(w, "%s\n", cols)
When i try this, it does not fill in the value that i entered from my website. If i log.Println(table) it does show in my terminal. But it will not display on website or fill in the select statement with table...
答案1
得分: 1
假设你是从API调用这个函数,有几件事情我会补充说明,而且不要使用通配符(*)选择。
编辑:我想我可能误解了你的问题,我会看看是否能给出更好的答案。
你是说你有一个表的打印值,但是没有来自数据库的响应?其他评论者是正确的,不要使用"_",而是获取一个真正的错误并使用fmt.Println(err.Error())。
编辑2:@jub0bs提出的另一个很好的观点是,这是一个巨大的漏洞。Go非常支持这一点,允许你这样做:
db.Query("SELECT * FROM ?", table)
而不是你目前的做法。
我刚刚运行了以下代码:
results, err := publicDB.Query("SELECT * FROM "+r.URL.Query().Get("name")) + " LIMIT 1"
if err != nil {
fmt.Println(err.Error())
}
for results.Next() {
fmt.Println(results.Columns())
}
它运行成功了。我调用的URL是www.mysite.com/endpoint?name=tablename。
英文:
Assuming you are calling this from an API, there a few things I would add, not mention avoiding wildcard (*) selects.
EDIT: I think I may have misunderstood your question, I will see if I can give a better answer.
You're saying that you have a printed value for table, but no response from the DB? Other commentor is correct, instead of "_", get a real error and fmt.Println(err.Error()).
EDIT 2: Another good point made by @jub0bs is that this is a huge vulnerability. Go supports this very well by allowing you to do:
db.Query("SELECT * FROM ?",table)
instead of what you have currently.
I just ran the following code:
results,err := publicDB.Query("SELECT * FROM "+r.URL.Query().Get("name"))+" LIMIT 1"
if err != nil {
fmt.Println(err.Error())
}
for results.Next(){
fmt.Println(results.Columns())
}
and it worked. I called the URL www.mysite.com/endpoint?name=tablename
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论