Always use bound parameters
PostgreSQL has two string syntaxes, one that allows backslash escapes and one that does not (SQL standard conforming strings). By default PostgreSQL uses standard conforming strings. QuoteString was only designed for use with standard conforming strings. If PostgreSQL was configured with certain combinations of the standard_conforming_strings and backslash_quote settings, QuoteString may not correctly sanitize strings. QuoteString was only used in unprepared queries, bound parameters are used for prepared queries. This commit alters pgx to use always use bound parameters. As a consequence of never doing string interpolation there is no need to have separate Text and Binary encoders. There is now only the Encoder interface. This change had a negative effect on the performance of simple unprepared queries, but prepared statements should already be used for performance. fixes #26 https://github.com/jackc/pgx/issues/26
This commit is contained in:
Jack Christensen
@@ -142,11 +142,9 @@ configure the TLS connection.
|
||||
pgx includes support for the common data types like integers, floats, strings,
|
||||
dates, and times that have direct mappings between Go and SQL. Support can be
|
||||
added for additional types like point, hstore, numeric, etc. that do not have
|
||||
direct mappings in Go by the types implementing Scanner, TextEncoder, and
|
||||
optionally BinaryEncoder. To enable binary format for custom types, a prepared
|
||||
statement must be used and the field description of the returned field must have
|
||||
FormatCode set to BinaryFormatCode. See example_custom_type_test.go for an
|
||||
example of a custom type for the PostgreSQL point type.
|
||||
direct mappings in Go by the types implementing Scanner and Encoder. See
|
||||
example_custom_type_test.go for an example of a custom type for the PostgreSQL
|
||||
point type.
|
||||
|
||||
### Null Mapping
|
||||
|
||||
|
||||
Reference in New Issue
Block a user