> > To prevent SQL injection and for flexibility, I'm set on using an sql > builder library.
I believe correctly used database/sql (with the argument placeholders) protects against SQL injection. There’s a query builder for postgres with MIT license posted here a few days ago: https://groups.google.com/forum/#!topic/golang-nuts/Mtqvr1N1zAI Otherwise strings.Builder (or bytes.Buffer pre-1.10), + string concatenation, or fmt.Sprintf can do it. ## First, create a solid CLI app. Then port it to the web via a JSON API, > that would simply consume the query string. In Go this might be best done as a non-main package with a cmd folder that has a folder for the server and a folder for the CLI app. I'm thinking of implementing a lexer/parser for this, but first I'd like to > make sure I'm not going to reinvent the wheel :) It sounds like you are reinventing SQL. Why do you need a DSL? Matt On Friday, March 2, 2018 at 7:45:19 AM UTC-6, Benjamin Thomas wrote: > > Hello gophers, > > Sorry if this is considered noise to some, as I have a question which is > not specifically go related. > > I have a personal project in which I'd like to use go though. > > Basically, I'd like to create a complex search form, returning data backed > by an SQL database. > > To prevent SQL injection and for flexibility, I'm set on using an sql > builder library. > > However I'm not sure how to go about querying the data itself, via query > params, without creating lots of boiler plate and duplication. > > I'm wondering if a solution similar to what I'm looking for exists, as > I've never stumbled upon one... > > I'm submitting my thoughts below, and would greatly appreciate feedback :) > > ===NOTES_START=== > # Idea for query params, for a search form. > > Upon UI changes, javascript would generate the appropriate final query > string > > A query string could be typed in by a power user, to handle cases not > covered by a simpler UI (via the url or text input) > > ## First, create a solid CLI app. Then port it to the web via a JSON API, > that would simply consume the query string. > > ``` > go run ./cmd/query/main.go QUERY_STRING > ``` > > ## Query string format would follow this principle > > PARAM_NAME : VALUE : OPERATOR > > ``` > # Commands > columns:posted_on,short_descr:eq > columns:posted_on,short_descr:hide > columns:posting_id,posted_on,short_descr:show > > limit:10:eq > limit:10 # would default to `eq`? > > page:1 > page:2 > offset:20 > > # Filtering > euros:11.94 # would default to `eq`? > euros:11.94:eq > euros:100:lt > euros:100:lte > > comment:FIXME # would default to `eq`? > comment:FIXME:eq > comment:NULL:eq > comment:NULL:ne > comment:%tickets%:like > comment:%Tickets%:ilike > > payee:Amazon|Google:re # regex > payee:AMAZON|Google:rei # regex, case insensitive > > ``` > > ## Question: how would I chain commands? I cannot use & in urls. > > ### Maybe with a pipe char > > QUERY_STRING | QUERY_STRING | QUERY_STRING > > ### Or via AND, OR keywords > > ``` > qs=QUERY_STRING > > qs AND qs OR qs > ``` > > ### Boolean logic, force the use of parentheses? > > ``` > qs=QUERY_STRING > > (qs AND qs) OR (qs OR qs) > ``` > ===NOTES_END=== > > Basically, I guess I'm looking for some kind of DSL. > > I'm thinking of implementing a lexer/parser for this, but first I'd like > to make sure I'm not going to reinvent the wheel :) > > Thanks for your interest and input! > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
