Skip to content

Commit 17e859d

Browse files
julienschmidtjulienschmidt
committed
README: Update encoding blacklisting for interpolateParams
1 parent 60fe63a commit 17e859d

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

README.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ A MySQL-Driver for Go's [database/sql](http://golang.org/pkg/database/sql) packa
3838
* Intelligent `LONG DATA` handling in prepared statements
3939
* Secure `LOAD DATA LOCAL INFILE` support with file Whitelisting and `io.Reader` support
4040
* Optional `time.Time` parsing
41+
* Optional placeholder interpolation
4142

4243
## Requirements
4344
* Go 1.2 or higher
@@ -192,8 +193,7 @@ Default: false
192193

193194
If `interpolateParams` is true, placeholders (`?`) in calls to `db.Query()` and `db.Exec()` are interpolated into a single query string with given parameters. This reduces the number of roundtrips, since the driver has to prepare a statement, execute it with given parameters and close the statement again with `interpolateParams=false`.
194195

195-
NOTE: *This may introduce a SQL injection vulnerability when connection encoding is multibyte encoding except for UTF-8 (e.g. CP932)!*
196-
(See http://stackoverflow.com/a/12118602/3430118)
196+
*This can not be used together with the multibyte encodings BIG5, CP932, GB2312, GBK or SJIS. These are blacklisted as they may [introduce a SQL injection vulnerability](http://stackoverflow.com/a/12118602/3430118)!*
197197

198198
##### `loc`
199199

0 commit comments

Comments
 (0)