0

I'm wondering if there was any possibility to use this function:

stmt, err := db.Prepare("INSERT INTO ? VALUES ()", tableName)

fatal(err)

What I try to do is: Getting a table name and trying, with go, to create a new element in the database with default option. (database = MySQL)

If you have any idea about why it isn't working or how I can do that I would be really greatfull

Jonathan Hall
  • 75,165
  • 16
  • 143
  • 189
Raphaël Balet
  • 1
  • can you show us the error trace? – Arpit Aggarwal Mar 03 '18 at 11:22
  • 3
    Not possible, you cannot parameterize table names, nor column names, placeholders are for values not tables, columns, etc. To do what you want do this: `db.Prepare("INSERT INTO "+tableName+" VALUES ()")` and make sure to sanitize the tableName value if it's user input. – mkopriva Mar 03 '18 at 11:41
  • Ensure that you are supplying a full table name that exists. Mysql and I'm pretty sure Maria require specification of the database and table if their are multiple on the server. – thisischuck Mar 03 '18 at 13:26
  • 1
    To expand on @mkopriva's comment, there is currently no standard way to quote/escape/sanitize an identifier (but [discussions have been underway](https://github.com/golang/go/issues/18478) for awhile) so you'll have to consult the MySQL/MariaDB documentation to write your own quoting function if you can't trust `tableName` to be safe already. – mu is too short Mar 03 '18 at 18:48

0 Answers0