Postgres could not determine data type of parameter $1 in Golang application

Question

I am creating an application in Golang that uses Postgres using the pq driver. I want to make a function that can select a user-determined field from my database, but I get an error:

pq: could not determine data type of parameter $1

Below is the code that generated this error:

var ifc interface{}

if err := conn.QueryRow("SELECT $1 FROM "+db+" WHERE uuid=$3 OR uri=$4 LIMIT 1", field, UUIDOrURI, UUIDOrURI).Scan(&ifc); err != nil {
    if err == sql.ErrNoRows {
        return http.StatusNotFound
    }

    log.Println(err)

    return http.StatusInternalServerError
}

Why can I not insert the field that I want to SELECT using $1? Is there another way to do this?

Related / possible duplicate of Golang ORDER BY issue with MySql. — icza
– icza, Commented Oct 5, 2016 at 10:22
maybe you should perform a type cast as explained here: github.com/jackc/pgx/issues/281#issuecomment-307247685 — Victor
– Victor, Commented Jun 6, 2019 at 18:11

laurent · Accepted Answer · 2016-10-05 10:17:43Z

4

You cannot use placeholders for field names. You'll have to build the query directly, as in:

"SELECT `" + field + "` FROM "

To avoid SQL injections, make sure that the field is part of a list of allowed fields beforehand.

answered Oct 5, 2016 at 10:17

laurent

91.2k83 gold badges310 silver badges445 bronze badges

Sign up to request clarification or add additional context in comments.

3 Comments

Kurt Stolle Over a year ago

I figured that is one method to do this, but that would require me to make a list of field names in the database, which is a hassle to update every time I update a field in the database. Is there not another way to do it using a placeholder instead?

Kul Over a year ago

You can apply a regex and make sure only valid characters are allowed.

laurent Over a year ago

You can also get the list of valid fields using something like this: dba.stackexchange.com/a/22368/37012 Then maybe cache the result of this query so that you can refer to it as needed.

jnmoal · Accepted Answer · 2016-10-05 11:38:20Z

-3

IMHO an easier way, but not safe, to create SQL queries is to use fmt.Sprintf:

query := fmt.Sprintf("SELECT %s FROM %s WHERE uuid=%s", field, db, UUIDOrURI)
if err := conn.QueryRow(query).scan(&ifc); err != nil {

}

You can even specify an argument index:

query := fmt.Sprintf("SELECT %[2]s FROM %[1]s", db, field)

In order to ease the development, I recommend to use a package for the postgresql communication, I tried this one and worked great.

edited Oct 5, 2016 at 11:38

answered Oct 5, 2016 at 10:53

jnmoal

1,0257 silver badges7 bronze badges

4 Comments

icza Over a year ago

Easiest does not imply safest. Package fmt has no knowledge of and does not attempt to prevent any SQL injection attacks.

jnmoal Over a year ago

I didn't mean it to be safe, just answered the question "Is there another way to do this?".

Filip Bartuzi Over a year ago

@Jean-NicolasMoal and probably you made someone lost his job, lol :D

Dan Esparza Over a year ago

xkcd.com/327

Collectives™ on Stack Overflow

Postgres could not determine data type of parameter $1 in Golang application

2 Answers 2

3 Comments

4 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

3 Comments

4 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related