Even standard SQL does not support using bind variables for everything that uses SQL syntax and does not belong to DML (=data manipulation language)
Am Montag, 18. September 2023 schrieb Vladimir Varankin <vladi...@varank.in >: > A thing, that it may be valuable to explain further, is that Go's "database/sql" doesn't come with a built-in query builder. > The package implements the database connection pooling/management, but it passes the user's SQL input and its arguments to the "driver". Depending on the particular database kind, the driver may or may not try to interpret the query (and the args), before it passes them to the database server. > In the specific example of MySQL/MariaDB, the support for placeholder "?" is a part of this database's flavour of SQL. Thus, it's likely, the driver you're using, passes the query with a placeholder to the DB server, but the DB's support of placeholders is limited to only a subset of queries (or places inside a query) — as the link to SO's answer, shared previously, explained. > Hope this makes it a little bit more clear. > On Sunday, September 17, 2023 at 10:45:27 AM UTC+2 Brian Candler wrote: >> >> According to this SO answer, CREATE USER in mysql doesn't support placeholders: >> https://stackoverflow.com/questions/20647115/how-to-write-create-user-with-mysql-prepared-statement >> "+1 for a legitmiate use of QUOTE() which is really the sanest thing that can be done here, since CREATE USER doesn't support ? placeholders" >> You can test this by trying a simple DML statement, e.g. >> UPDATE users SET name=? where name=? >> >> On Sunday, 17 September 2023 at 01:02:08 UTC+1 John Zh wrote: >>> >>> Hi ! >>> I am going to make some kind of manager app over MySQL clusters by using Golang. But I found that when I try to exec some SQL line includes user name or db name, the SQL line can't be correctly parameterized. >>> For example: >>> Using GORM based on database/sql or directly using database/sql >>> ``` >>> err := db.Exec("CREATE USER ? IDENTIFIED BY ?", a.Name, a.Pwd).Error >>> ``` >>> Got >>> ``` >>> [1.824ms] [rows:0] CREATE USER 'Reiis' IDENTIFIED BY '12345' >>> Error 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? IDENTIFIED BY ?' at line 1 >>> ``` >>> Seems like it does not replace "?" with a.Name, but rather passes the SQL command with "?" directly to MySQL. What is more wired, it prints the SQL command with correctly replaced parameters in the log. >>> I don't know the the underlying reason behind this phenomenon, is it intentionally designed like that? >>> Thx! > > -- > You received this message because you are subscribed to the Google Groups "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/1cc07940-48c3-4d53-b97e-d74faa4c76can%40googlegroups.com . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CA%2B8p0G2hRP4mwa2nP%2BzsGqnc_%2BiPv3vcTpk9gJaqrctWgKVzsg%40mail.gmail.com.
