sqlescape

Documentation

Index

• func EscapeSQL(sql string, args ...any) (string, error)
• func EscapeString(s string) string
• func FormatSQL(w io.Writer, sql string, args ...any) error
• func MustEscapeSQL(sql string, args ...any) string
• func MustFormatSQL(w *strings.Builder, sql string, args ...any)

Functions

func EscapeSQL

func EscapeSQL(sql string, args ...any) (string, error)

EscapeSQL will escape input arguments into the sql string, doing necessary processing. It works like printf() in c, there are following format specifiers: 1. %?: automatic conversion by the type of arguments. E.g. []string -> ('s1','s2'..) 2. %%: output % 3. %n: for identifiers, for example ("use %n", db) But it does not prevent you from doing:

EscapeSQL("select '%?", ";SQL injection!;") => "select '';SQL injection!;'".

It is still your responsibility to write safe SQL.

func EscapeString

func EscapeString(s string) string

EscapeString is used by session/bootstrap.go, which has some dynamic query building cases not well handled by this package. For normal usage, please use EscapeSQL instead!

func FormatSQL

func FormatSQL(w io.Writer, sql string, args ...any) error

FormatSQL is the io.Writer version of EscapeSQL. Please refer to EscapeSQL for details.

func MustEscapeSQL

func MustEscapeSQL(sql string, args ...any) string

MustEscapeSQL is a helper around EscapeSQL. The error returned from escapeSQL can be avoided statically if you do not pass interface{}.

func MustFormatSQL

func MustFormatSQL(w *strings.Builder, sql string, args ...any)

MustFormatSQL is a helper around FormatSQL, like MustEscapeSQL. But it asks that the writer must be strings.Builder, which will not return error when w.Write(...).