diff options
| author | Daniel Theophanes <kardianos@gmail.com> | 2017-11-09 14:14:44 -0800 |
|---|---|---|
| committer | Daniel Theophanes <kardianos@gmail.com> | 2017-11-18 01:52:49 +0000 |
| commit | 262141a12a6ef0d914fe7aff8b3bde45ea59abb0 (patch) | |
| tree | 3901e8b2f7f2dc4fe79d5b4206ce6fd863e8718b /src/database/sql | |
| parent | ce68e1b81c470ef29ece6a33980ab05e2b8bb30c (diff) | |
| download | go-262141a12a6ef0d914fe7aff8b3bde45ea59abb0.tar.xz | |
database/sql: check for arg counts after eliminating arguments
Check for the expected number of arguments in a SQL statement
after arguments are eliminated in the argument converter.
This situation was already tested for in TestNamedValueChecker.
However the test used Exec which didn't have any check for
NumInput on it at all, thus this issue was never caught.
In addition to moving the NumInput check on the Query
methods after the converter, add the NumInput check
to the Exec methods as well.
Fixes #22630
Change-Id: If45920c6e1cf70dca63822a0cedec2cdc5cc611c
Reviewed-on: https://go-review.googlesource.com/76732
Run-TryBot: Daniel Theophanes <kardianos@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Diffstat (limited to 'src/database/sql')
| -rw-r--r-- | src/database/sql/sql.go | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/src/database/sql/sql.go b/src/database/sql/sql.go index 1192eaae26..22458c0aeb 100644 --- a/src/database/sql/sql.go +++ b/src/database/sql/sql.go @@ -2256,6 +2256,13 @@ func resultFromStatement(ctx context.Context, ci driver.Conn, ds *driverStmt, ar return nil, err } + // -1 means the driver doesn't know how to count the number of + // placeholders, so we won't sanity check input here and instead let the + // driver deal with errors. + if want := ds.si.NumInput(); want >= 0 && want != len(dargs) { + return nil, fmt.Errorf("sql: statement expects %d inputs; got %d", want, len(dargs)) + } + resi, err := ctxDriverStmtExec(ctx, ds.si, dargs) if err != nil { return nil, err @@ -2422,18 +2429,16 @@ func rowsiFromStatement(ctx context.Context, ci driver.Conn, ds *driverStmt, arg ds.Lock() defer ds.Unlock() - want := ds.si.NumInput() + dargs, err := driverArgsConnLocked(ci, ds, args) + if err != nil { + return nil, err + } // -1 means the driver doesn't know how to count the number of // placeholders, so we won't sanity check input here and instead let the // driver deal with errors. - if want != -1 && len(args) != want { - return nil, fmt.Errorf("sql: statement expects %d inputs; got %d", want, len(args)) - } - - dargs, err := driverArgsConnLocked(ci, ds, args) - if err != nil { - return nil, err + if want := ds.si.NumInput(); want >= 0 && want != len(dargs) { + return nil, fmt.Errorf("sql: statement expects %d inputs; got %d", want, len(dargs)) } rowsi, err := ctxDriverStmtQuery(ctx, ds.si, dargs) |