Hacker News new | ask | show | jobs
by dosethree 1274 days ago
golang https://github.com/Masterminds/squirrel

Constructing sql by concat strings has a few issues, its repetitive and hard to assemble certain queries conditionally, and at least in golang its easy to write code vulnerable to sql injection and you can avoid that by using types
1 comments
doctor_eval 1274 days ago
I never use string concat to generate SQL in Go - isn’t it normal to use placeholders? ie,

    db.QueryRow(“select $1”, n)
Looking at squirrel, I really don’t see how this

    sql, args, err := sq.Insert("users").Columns("name", "age").
    Values("moe", 13).Values("larry", sq.Expr("? + 5", 12)).
    ToSql()
Is better than this

    sql == "INSERT INTO users (name,age) VALUES (?,?),(?,? + 5)"
That said, I will happily agree that that SQL statement composition is not the same as an ORM, and I can see the benefit of Squirrel for those rare times you do need to conditionally build SQL statements.
link