I was writting a wraper/validator over pg in go when I came upon a rather annoying thing... passing very long strings as argument. Basically I have this string:
"UPDATE " + m["table"] + "_tags SET keys = keys || ," + strconv.Itoa(key) + " WHERE tag = " + t + ";" + "INSERT INTO " m["table"] + "_tags (tag,keys) SELECT '" + t + "', '" + strconv.Itoa(key) + ") WHERE NOT EXISTS(SELECT 1 FROM " + m["table"]"_tags WHERE tag = " + t + ");"
Ok, big, unweildy, full of ' and "... hell on earth. But that's how SQL queries look an quite frankly I can't think of a better way of dynamically composing them.
So In a reasonable language like C++ this would simply work. In JavaScript I'd add "\" at the end of each... etc
Is there such a mechanic in go ? I previously heard that adding "," at the end of each line is the equivalent of \ in javascript but the documentation for this seems to be rather poorly written and most examples online cite things like:
"Change your SQL query" (doable, but not exactly the solutiuon I want from a low-level language). "Use ' at the beginning and end"... but since there's no way to escape ' inside of ' that would be kind of hard (adding an additional 6* + operators) and I'm quite unsure if wrapping with ' works when I have + concatenations inside. Suggestions ?
(Best I can come up with is construct the string outside the argument but once again that seems hack-ish)
Create a template:
`UPDATE %s_tags SET keys = keys || %d WHERE tag = %d; INSERT INTO %s ...;`
Then pass in the parameters.
P.S. This can be vulnerable to ingestion attack, verify the values before plugging them in.