This question already has an answer here:
While we write a web application, we will use SQL prepare instead of concat SQL strings to avoid SQL injection. For example:
sql.exec("select * from user where user_id=?", user_id)
But how to write prepare WHERE...IN in SQL? For example:
sql.exec("select * from user where user_id in ?", user_ids)
If it is impossible. What is the proper way to avoid SQL injection in such a situation?
Thanks.
</div>
change user_ids string to id array:
idArr = strings.Split(user_ids, ",")
create sql:
vals := []interface{}{}
sqlStr := "select * from user where user_id in ("
for _,v := range idArr {
vals = append(vals, v)
sqlStr += "?,"
}
sqlStr = strings.TrimRight(sqlStr, ",")
sqlStr += ")"
stmt, err := db.Prepare(sqlStr)
if err!=nil{
return err
}
defer stmt.Close()
rows, err := stmt.Query(vals...)