Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for prepared statements and bound parameters #2926

Closed
aaronjwood opened this issue Jun 11, 2015 · 6 comments
Closed

Support for prepared statements and bound parameters #2926

aaronjwood opened this issue Jun 11, 2015 · 6 comments
Assignees
Milestone

Comments

@aaronjwood
Copy link

Hi,

Please correct me if I'm wrong but I don't see any support for prepared statements and bound parameters. I'm trying to figure out a way to prevent SQL injection when using the Go client library.

Your README talks about doing something like this:

q := fmt.Sprintf("select count(%s) from %s", "value", MyMeasurement)
res, err := queryDB(con, q)

My understanding is that fmt.Sprintf does not protect against SQL injection at all. Is there a way to use Go's built-in prepare http://golang.org/pkg/database/sql/#DB.Prepare or query http://golang.org/pkg/database/sql/#DB.Query so that I can bind parameters to a query?

Thanks!

@manuel-huez
Copy link

+1

1 similar comment
@maddyblue
Copy link

+1

@beckettsean beckettsean added this to the 1.0.0 milestone Jun 16, 2015
@etcinit
Copy link

etcinit commented Oct 26, 2015

+1

1 similar comment
@5outh
Copy link

5outh commented Nov 4, 2015

+1

@jsternberg jsternberg self-assigned this May 16, 2016
jsternberg added a commit that referenced this issue May 16, 2016
The parser can be passed a map of keys to literal values to be replaced
into the query. Parameters are preceded by a dollar sign (`$`). If a
parameter key is missing, an error is thrown by the parser.

Fixes #2926.
jsternberg added a commit that referenced this issue May 19, 2016
The parser can be passed a map of keys to literal values to be replaced
into the query. Parameters are preceded by a dollar sign (`$`). If a
parameter key is missing, an error is thrown by the parser.

Fixes #2926.
@timhallinflux timhallinflux modified the milestones: 1.0.0, 1.0.0 beta Dec 20, 2016
@vikrant6
Copy link

+1

@aaronjwood
Copy link
Author

Is this the right way to address this issue now? https://docs.influxdata.com/influxdb/v1.7/tools/api/#bind-parameters

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

9 participants