Skip to main content
Version: 2.8.x(Latest)

Due to the security assurance of ORM, all input parameters are executed in a prepared mode at the underlying level to prevent common SQL injection risks. In certain scenarios, we expect to embed custom SQL statements in the generated execution SQL statements, then we can use the RawSQL feature of ORM through the gdb.Raw type. Let's look at a few examples.

Using RawSQL in Insert

gdb.Raw is a string type, and the parameter of this type will be directly embedded as an SQL fragment into the SQL statement submitted to the underlying level. It will not be automatically converted into a string parameter type, nor will it be treated as a prepared parameter. For example:

// INSERT INTO `user`(`id`,`passport`,`password`,`nickname`,`create_time`) VALUES('id+2','john','123456','now()')
g.Model("user").Data(g.Map{
    "id":          "id+2",
    "passport":    "john",
    "password":    "123456",
    "nickname":    "JohnGuo",
    "create_time": "now()",
}).Insert()
// Execution error: Error Code: 1136. Column count doesn't match value count at row 1

After refactoring with gdb.Raw:

// INSERT INTO `user`(`id`,`passport`,`password`,`nickname`,`create_time`) VALUES(id+2,'john','123456',now())
g.Model("user").Data(g.Map{
    "id":          gdb.Raw("id+2"),
    "passport":    "john",
    "password":    "123456",
    "nickname":    "JohnGuo",
    "create_time": gdb.Raw("now()"),
}).Insert()

Using RawSQL in Update

// UPDATE `user` SET login_count='login_count+1',update_time='now()' WHERE id=1
g.Model("user").Data(g.Map{
    "login_count": "login_count+1",
    "update_time": "now()",
}).Where("id", 1).Update()
// Execution error: Error Code: 1136. Column count doesn't match value count at row 1

After refactoring with gdb.Raw:

// UPDATE `user` SET login_count=login_count+1,update_time=now() WHERE id=1
g.Model("user").Data(g.Map{
    "login_count": gdb.Raw("login_count+1"),
    "update_time": gdb.Raw("now()"),
}).Where("id", 1).Update()

Using RawSQL in Select

The time function now() will be converted into a string to be executed as an SQL parameter:

// SELECT * FROM `user` WHERE `created_at`<'now()'
g.Model("user").WhereLT("created_at", "now()").All()

After refactoring with gdb.Raw:

// SELECT * FROM `user` WHERE `created_at`<now()
g.Model("user").WhereLT("created_at", gdb.Raw("now()")).All()