Hi,
In this moment I writing a little application for web at Golang. I wish to save a string from HTML form to MySQL database but I have worry about special characters and escape sequences. I wrote a little function with regex but I think that it is not enough for a production ("really world" 
).
Maybe you know something about frameworks or library for Golang for safety string processing? (like as mysql_real_escape_string in PHP)
Thank you
评论:
brokedown:
Brasilikum:Those escapes are really only needed if you're creating a query string by hand with data, which you should never do with dynamic arguments.
In Go, you would do something like:
_,err:=db.Exec("insert into foo (fieldA, fieldB) values (?, ?)", valueA, valueB)
whitedruid:Citing a stack overflow answer:
As long as you're using Prepare or Query, you're safe.
// this is safe db.Query("SELECT name FROM users WHERE age=?", req.FormValue("age")) // this allows sql injection. db.Query("SELECT name FROM users WHERE age=" + req.FormValue("age"))
Brasilikum:Thanks! I try to use both solutions and I have no feel a diffrent but I'm newbie at software development at Go ;) ..... I found this: https://astaxie.gitbooks.io/build-web-application-with-golang/content/en/09.4.html
3264128256:In the first case you are concatenating everything to one string and then pass it to the db-package. If it contains illegal characters, they are evaluated. If you pass many strings, the dB package may check every single one for illegal characters
As others have said if you're worried about SQL injection, prepared statements will get rid of those.
If you're worried about displaying the said HTML on a browser, it's a different issue. Go's template/htmloutputs HTML which is safe against code injection. Or if you're using something else you could process it through HTMLEscapeString or HTMLEscape
