This repository has been archived by the owner on Jun 14, 2019. It is now read-only.
ToBoundSQL函数 不能过滤参数防止SQL注入吗? #49
Labels
Comments
|
@xuyuri I moved this issue on builder. I think yes. The check haven't be implemented. |
|
|
@xuyuri Hi, 这里看了一下,我们决定用通对字符串进行参数化处理而不是过滤恶意条件(与预编译的作用类似),这样可以么? |
是指以?作为占位符代替参数 这种处理方式吗? |
嗯,不过是给出处理后的结果,比如: 会处理为 |
可以的! |
This was referenced Apr 18, 2019
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
代码:
name := "cat;sleep(1)"
build := builder.MySQL()
sql, err := build.Select("*").From(table).Where(builder.Cond(builder.Eq{"name": name})).ToBoundSQL()
生成的sql语句是:SELECT * FROM t_tmp_info WHERE name='cat;sleep(1)'
并没有将sleep(1)过滤掉
The text was updated successfully, but these errors were encountered: