I have a query similar to the one below, slightly different than the example for Named Arguments in the GORM documentation:
db.Raw("SELECT * FROM users WHERE (name1 ILIKE @Name AND name3 ILIKE @Name) AND name2 ILIKE @Name2",
NamedArgument{Name: "jinzhu", Name2: "jinzhu2"}).Find(&user)
I searched around but couldn't find an answer, are Named Arguments with db.Raw() sql injection safe or parametrized? Is there anything else I need to do to make this more secure if the input is coming from a user input?
Comment From: github-actions[bot]
The issue has been automatically marked as stale as it missing playground pull request link, which is important to help others understand your issue effectively and make sure the issue hasn't been fixed on latest master, checkout https://github.com/go-gorm/playground for details. it will be closed in 30 days if no further activity occurs. if you are asking question, please use the Question template, most likely your question already answered https://github.com/go-gorm/gorm/issues or described in the document https://gorm.io ✨ Search Before Asking ✨
Comment From: a631807682
GORM uses the database/sql‘s argument placeholders to construct the SQL statement, which will automatically escape arguments to avoid SQL injection
NamedArg is injection safe
https://github.com/go-gorm/gorm/blob/master/clause/expression_test.go#L85
https://gorm.io/docs/security.html#Query-Condition
Comment From: github-actions[bot]
The issue has been automatically marked as stale as it missing playground pull request link, which is important to help others understand your issue effectively and make sure the issue hasn't been fixed on latest master, checkout https://github.com/go-gorm/playground for details. it will be closed in 30 days if no further activity occurs. if you are asking question, please use the Question template, most likely your question already answered https://github.com/go-gorm/gorm/issues or described in the document https://gorm.io ✨ Search Before Asking ✨