Or else it's a prepared statement which gets invoked with parameters.
Mysql's own documentation is unclear on where placeholders can be
used: https://dev.mysql.com/doc/refman/8.0/en/sql-prepared-statements.html
Note that they give this example:
mysql> SET @table = 't1'; mysql> SET @s = CONCAT('SELECT * FROM ', @table);
mysql> PREPARE stmt3 FROM @s; mysql> EXECUTE stmt3;
They don't do "SELECT * FROM ?" because you're not allowed to use a
placeholder for the table name - it must be inlined into the SQL. (And in
this example @table had better be from a trusted source, since they don't
do any quoting or escaping)
On Monday, 18 September 2023 at 13:01:52 UTC+1 Vladimir Varankin wrote:
> A thing, that it may be valuable to explain further, is that Go's
> "database/sql" doesn't come with a built-in query builder.
>
> The package implements the database connection pooling/management, but it
> passes the user's SQL input and its arguments to the "driver". Depending on
> the particular database kind, the driver may or may not try to interpret
> the query (and the args), before it passes them to the database server.
>
> In the specific example of MySQL/MariaDB, the support for placeholder "?"
> is a part of this database's flavour of SQL. Thus, it's likely, the driver
> you're using, passes the query with a placeholder to the DB server, but the
> DB's support of placeholders is limited to only a subset of queries (or
> places inside a query) — as the link to SO's answer, shared previously,
> explained.
>
> Hope this makes it a little bit more clear.
>
> On Sunday, September 17, 2023 at 10:45:27 AM UTC+2 Brian Candler wrote:
>
>> According to this SO answer, CREATE USER in mysql doesn't support
>> placeholders:
>>
>> https://stackoverflow.com/questions/20647115/how-to-write-create-user-with-mysql-prepared-statement
>> *"+1 for a legitmiate use of QUOTE() which is really the sanest thing
>> that can be done here, since CREATE USER doesn't support ? placeholders"*
>>
>> You can test this by trying a simple DML statement, e.g.
>> UPDATE users SET name=? where name=?
>>
>> On Sunday, 17 September 2023 at 01:02:08 UTC+1 John Zh wrote:
>>
>>> Hi !
>>> I am going to make some kind of manager app over MySQL clusters by using
>>> Golang. But I found that when I try to exec some SQL line includes user
>>> name or db name, the SQL line can't be correctly parameterized.
>>> For example:
>>> Using GORM based on database/sql or directly using database/sql
>>> ```
>>> err := db.Exec("CREATE USER ? IDENTIFIED BY ?", a.Name, a.Pwd).Error
>>> ```
>>> Got
>>> ```
>>> [1.824ms] [rows:0] CREATE USER 'Reiis' IDENTIFIED BY '12345'
>>> Error 1064 (42000): You have an error in your SQL syntax; check the
>>> manual that corresponds to your MySQL server version for the right syntax
>>> to use near '? IDENTIFIED BY ?' at line 1
>>> ```
>>>
>>> Seems like it does not replace "?" with a.Name, but rather passes the
>>> SQL command with "?" directly to MySQL. What is more wired, it prints
>>> the SQL command with correctly replaced parameters in the log.
>>>
>>> I don't know the the underlying reason behind this phenomenon, is it
>>> intentionally designed like that?
>>> Thx!
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/c5d53429-085c-49c2-ba15-1f2b018cbe8an%40googlegroups.com.
