squirrel Limit and Offset use prepare statement placeholder

Limit and Offset use prepare statement placeholder

Open fengxuway opened this issue 1 year ago • 1 comments

Can Limit() and Offset() functions make a placeholder for prepare statement?

Use squirrel v1.5.4 the result:

sql, args, err := squirrel.Select("id").From("mytable").Where("id < ?", 100).Limit(10).Offset(20).ToSql()

// output
sql: SELECT id FROM mytable WHERE id < ? LIMIT 10 OFFSET 20
args: [100]

// Expect output
sql: SELECT id FROM mytable WHERE id < ? LIMIT ? OFFSET ?
args: [100, 10, 20]

Apr 20 '23 04:04 fengxuway

I likewise found this to be unexpected behavior. As those frequently come from query parameters (user input) when implementing pagination, this has security implementations.

In the meantime, a workaround is: Suffix("LIMIT ? OFFSET ?", limit, offset)

Jun 08 '23 20:06 TrueWill

squirrel squirrel copied to clipboard

Limit and Offset use prepare statement placeholder

squirrel
squirrel copied to clipboard