squirrel icon indicating copy to clipboard operation
squirrel copied to clipboard

Published 20 hours ago verified publisher icon Masterminds

Limit and Offset use prepare statement placeholder

Open fengxuway opened this issue 1 year ago • 2 comments

Can Limit() and Offset() functions make a placeholder for prepare statement?

Use squirrel v1.5.4 the result:

sql, args, err := squirrel.Select("id").From("mytable").Where("id < ?", 100).Limit(10).Offset(20).ToSql()

// output
sql: SELECT id FROM mytable WHERE id < ? LIMIT 10 OFFSET 20
args: [100]

// Expect output
sql: SELECT id FROM mytable WHERE id < ? LIMIT ? OFFSET ?
args: [100, 10, 20]

fengxuway avatar Apr 20 '23 04:04 fengxuway

I likewise found this to be unexpected behavior. As those frequently come from query parameters (user input) when implementing pagination, this has security implementations.

In the meantime, a workaround is: Suffix("LIMIT ? OFFSET ?", limit, offset)

TrueWill avatar Jun 08 '23 20:06 TrueWill

Hello! The problem is still present in the latest version of the project.

Could you please let me know if there are any planned actions or timelines for resolving this issue?

dmitriykara avatar Jun 17 '24 14:06 dmitriykara