I am using "database/sql" package in GO. I want to create a table of variable name.
Only way I can think of is-
db.Exec(`CREATE TABLE`+table_name+`;`)
But it is not safe as there can be SQL injection.
I don't code in GO, but this would probably be safe for injection:
tx.Prepare(`do $$ begin execute format($f$create table %I()$f$,$1); end; $$;`)
and then
stmt.Exec(table_name)
Just use placeholders like:
db.Exec("CREATE TABLE $1", "table_name")
With most development platforms, parameterized statements that work with parameters can be used (sometimes called placeholders or bind variables) instead of embedding user input in the statement. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would simply be treated as a strange (and probably invalid) parameter value.
Its just like @Vao Tsun said:
stmt, err := db.Prepare("CREATE TABLE $1")
if err != nil {
log.Fatal(err)
}
defer stmt.Close()
result, err := stmt.Exec("DB_NAME_HERE")
Go through the original documentation and look at their example as well for clear understanding.