![pgadmin 4 new record pgadmin 4 new record](https://www.pgadmin.org/static/docs/pgadmin4-6.0-docs/_images/query_tool_message.png)
In nearly all cases of creating a new record, you are likely relying on your database to create the record’s ID, so before you can return the newly created record to an end user you are going to want to figure out the ID of that record.
PGADMIN 4 NEW RECORD HOW TO
Okay, so we know to use the database/sql package to construct our SQL statements, and we saw an example of how to do this, but we still have one thing to cover - how to get the ID of a newly created record. How do I Retrieve the ID of new records with Postgres and Go? It will save you a lot of headaches down the road, I promise. So the short version of this story is *always use the database/sql package to construct SQL statements and insert values into them**. This likely won’t return any users, but more importantly it wouldn’t delete all of your data! eg fmt.Println("\"hi\", said the man") would output "hi", said the man, and ''' DROP TABLE users ''' is treated like the string ' DROP TABLE users ' in SQL, so rather than executing the dangerous DROP TABLE users command, this statement would search for a user with the email address ' DROP TABLE users '. It would be the equivalent to putting a backslash before a quote in Go.
![pgadmin 4 new record pgadmin 4 new record](https://severalnines.com/sites/default/files/blog/node_5480/image6.png)
While this might look very similar, there is one very significant difference - the single quotes in the email address are doubled up, which is how you escape a single quote character in SQL. SELECT * FROM users WHERE email = ''' DROP TABLE users ''' Rather than executing the dangerous SQL above, the database/sql package would instead execute something like the SQL below. This is easier to understand with an example, so let’s go back to the previous example where we want to search for a user using an email address.
![pgadmin 4 new record pgadmin 4 new record](https://www.pgadmin.org/static/docs/pgadmin4-dev/docs/en_US/_build/html/_images/geometry_viewer.png)
The database/sql package is aware of all special SQL characters, so when you try to insert a string with a single quote ( ') into a statement being constructed by the database/sql package it will escape the special characters and prevent any nefarious SQL statements from ever being executed.
PGADMIN 4 NEW RECORD FREE
Unfortunately, this is probably one of the most common ways that “hackers” will attempt to attack your website, and while some SQL injection attacks can be used to gain data, a large chunk of them will simply destroy a large portion of your data, leaving you with an empty database and a lot of explaining to do to your users.īy using the database/sql package to create our SQL statements, we get a free layer of protection against this. This is called SQL injection, and it happens when you let users input data that needs to be used in SQL statements and you don’t escape any special characters, like the single quote ( ') character.
![pgadmin 4 new record pgadmin 4 new record](https://storage.googleapis.com/lds-media/images/pgadmin-dashboard.width-1200.jpg)
Now this might not look so bad at first, but if you take a closer look this statement doesn’t just look for a user, but it also adds an extra SQL statement to the end that drops the entire users table! Yikes! That would mean you would lose ALL of your user data if this were executed. SELECT * FROM users WHERE email = '' DROP TABLE users ''