Renamed function NewFieldRaw() to NewUnsafeFieldRaw()

Author: zhangleitao

field/export.go

@@ -32,8 +32,12 @@ func NewField(table, column string, opts ...Option) Field {
 	return Field{expr: expr{col: toColumn(table, column, opts...)}}
 }
 
-// NewFieldRaw create new field by native sql
-func NewFieldRaw(rawSQL string, vars ...interface{}) Field {
+// NewUnsafeFieldRaw create new field by native sql
+//
+// Warning: Using NewUnsafeFieldRaw with raw SQL exposes your application to SQL injection vulnerabilities.
+// Always validate/sanitize inputs and prefer parameterized queries or NewField methods for field construction.
+// Use this low-level function only when absolutely necessary, and ensure any embedded values are properly escaped.
+func NewUnsafeFieldRaw(rawSQL string, vars ...interface{}) Field {
 	return Field{expr: expr{e: clause.Expr{SQL: rawSQL, Vars: vars}}}
 }
 

field/export_test.go

@@ -90,52 +90,52 @@ func TestExpr_Build(t *testing.T) {
 			Result: "GROUP_CONCAT(`id`)",
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1"),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1"),
 			Result:       "if(column1=?,column2,column3)",
 			ExpectedVars: []interface{}{"1"},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1").Eq(p),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").Eq(p),
 			Result:       "if(column1=?,column2,column3) = ?",
 			ExpectedVars: []interface{}{"1", p},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", field.NewField("", "new_id")).Eq(p),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", field.NewField("", "new_id")).Eq(p),
 			Result:       "if(column1=`new_id`,column2,column3) = ?",
 			ExpectedVars: []interface{}{p},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1").EqCol(field.NewField("", "new_id")),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").EqCol(field.NewField("", "new_id")),
 			Result:       "if(column1=?,column2,column3) = `new_id`",
 			ExpectedVars: []interface{}{"1"},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1").EqCol(field.NewField("", "new_id").WithTable("tableB")),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").EqCol(field.NewField("", "new_id").WithTable("tableB")),
 			Result:       "if(column1=?,column2,column3) = `tableB`.`new_id`",
 			ExpectedVars: []interface{}{"1"},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1").IsNull(),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").IsNull(),
 			Result:       "if(column1=?,column2,column3) IS NULL",
 			ExpectedVars: []interface{}{"1"},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1").GroupConcat(),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").GroupConcat(),
 			Result:       "GROUP_CONCAT(if(column1=?,column2,column3))",
 			ExpectedVars: []interface{}{"1"},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1").Desc(),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").Desc(),
 			Result:       "if(column1=?,column2,column3) DESC",
 			ExpectedVars: []interface{}{"1"},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1").IfNull(p),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").IfNull(p),
 			Result:       "IFNULL(if(column1=?,column2,column3),?)",
 			ExpectedVars: []interface{}{"1", p},
 		},
 		{
-			Expr:         field.NewFieldRaw("if(column1=?,column2,column3)", "1").As("column4"),
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").As("column4"),
 			Result:       "if(column1=?,column2,column3) AS `column4`",
 			ExpectedVars: []interface{}{"1"},
 		},