Skip to main content

Parameters

To prevent SQL injection, it is necessary to use parameters in our queries. With bob use sm.Arg() where necessary. This will write the placeholder correctly in the generated sql, and return the value in the argument slice.

// args: 100, "Stephen"
// Postgres: SELECT * from users WHERE "id" = $1 AND "name" = $2
// SQLite: SELECT * from users WHERE "id" = ?1 AND "name" = ?2
// MySQL: SELECT * from users WHERE "id" = ? AND "name" = ?
psql.Select(
sm.From("users"),
sm.Where(psql.Quote("id").EQ(psql.Arg(100))),
sm.Where(psql.Quote("name".EQ(psql.Arg("Stephen"))),
)