ExplainSQL generate SQL string with given parameters, the generated SQL is expected to be used in logger, execute it might introduce a SQL injection vulnerability
(sql string, numericPlaceholder *regexp.Regexp, escaper string, avars ...interface{})
| 49 | |
| 50 | // ExplainSQL generate SQL string with given parameters, the generated SQL is expected to be used in logger, execute it might introduce a SQL injection vulnerability |
| 51 | func ExplainSQL(sql string, numericPlaceholder *regexp.Regexp, escaper string, avars ...interface{}) string { |
| 52 | var ( |
| 53 | convertParams func(interface{}, int) |
| 54 | vars = make([]string, len(avars)) |
| 55 | ) |
| 56 | |
| 57 | convertParams = func(v interface{}, idx int) { |
| 58 | switch v := v.(type) { |
| 59 | case bool: |
| 60 | vars[idx] = strconv.FormatBool(v) |
| 61 | case time.Time: |
| 62 | if v.IsZero() { |
| 63 | vars[idx] = escaper + tmFmtZero + escaper |
| 64 | } else { |
| 65 | vars[idx] = escaper + v.Format(tmFmtWithMS) + escaper |
| 66 | } |
| 67 | case *time.Time: |
| 68 | if v != nil { |
| 69 | if v.IsZero() { |
| 70 | vars[idx] = escaper + tmFmtZero + escaper |
| 71 | } else { |
| 72 | vars[idx] = escaper + v.Format(tmFmtWithMS) + escaper |
| 73 | } |
| 74 | } else { |
| 75 | vars[idx] = nullStr |
| 76 | } |
| 77 | case driver.Valuer: |
| 78 | reflectValue := reflect.ValueOf(v) |
| 79 | if v != nil && reflectValue.IsValid() && ((reflectValue.Kind() == reflect.Ptr && !reflectValue.IsNil()) || reflectValue.Kind() != reflect.Ptr) { |
| 80 | r, _ := v.Value() |
| 81 | convertParams(r, idx) |
| 82 | } else { |
| 83 | vars[idx] = nullStr |
| 84 | } |
| 85 | case fmt.Stringer: |
| 86 | reflectValue := reflect.ValueOf(v) |
| 87 | switch reflectValue.Kind() { |
| 88 | case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: |
| 89 | vars[idx] = strconv.FormatInt(reflectValue.Int(), 10) |
| 90 | case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64: |
| 91 | vars[idx] = strconv.FormatUint(reflectValue.Uint(), 10) |
| 92 | case reflect.Float32, reflect.Float64: |
| 93 | vars[idx] = strconv.FormatFloat(reflectValue.Float(), 'f', 6, 64) |
| 94 | case reflect.Bool: |
| 95 | vars[idx] = strconv.FormatBool(reflectValue.Bool()) |
| 96 | case reflect.String: |
| 97 | vars[idx] = escaper + strings.ReplaceAll(fmt.Sprintf("%v", v), escaper, escaper+escaper) + escaper |
| 98 | default: |
| 99 | if v != nil && reflectValue.IsValid() && ((reflectValue.Kind() == reflect.Ptr && !reflectValue.IsNil()) || reflectValue.Kind() != reflect.Ptr) { |
| 100 | vars[idx] = escaper + strings.ReplaceAll(fmt.Sprintf("%v", v), escaper, escaper+escaper) + escaper |
| 101 | } else { |
| 102 | vars[idx] = nullStr |
| 103 | } |
| 104 | } |
| 105 | case []byte: |
| 106 | if s := string(v); isPrintable(s) { |
| 107 | vars[idx] = escaper + strings.ReplaceAll(s, escaper, escaper+escaper) + escaper |
| 108 | } else { |