squirrel icon indicating copy to clipboard operation
squirrel copied to clipboard
verified publisher icon Masterminds

Question: OrderBy column name placeholder

Open dchukmasov opened this issue 3 years ago • 1 comments

Hi! It is known that SQL ORDER BY clauses cannot use a placeholder for a column name. However, my question is - is there a way in squirrel to safely build an ORDER BY clause with column name coming from user input? (i.e. building a string and then using it in builder.OrderBy seems unsafe). Thanks!

dchukmasov avatar Aug 06 '22 12:08 dchukmasov

Squirrel does not provide any kind of escaping/quoting itself, so you are correct that using user input directly in OrderBy would be unsafe. Depending on exactly what you are trying to do, I would say there are two good options:

  • Use a database-driver-specific function to escape the table name prior to passing it to OrderBy, e.g. https://pkg.go.dev/github.com/lib/pq#QuoteIdentifier
  • Check the column names against a strict set of allowable characters, such as the regex [a-z_]+. This might be fine if your column names are very limited.

lann avatar Aug 22 '22 13:08 lann