feat: support native SQL as custom fields (#1213)

mimicode · zhangleitao · web-flow · commit e2dcb6d953e6 · 2025-03-20T10:02:07.000+08:00
* feat: support native SQL as custom fields

* add comment

* fix var name format

* Renamed function NewFieldRaw() to NewUnsafeFieldRaw()

---------

Co-authored-by: zhangleitao &lt;zhangleitao@huorong.cn&gt;
diff --git a/field/export.go b/field/export.go
@@ -32,6 +32,15 @@ func NewField(table, column string, opts ...Option) Field {
 	return Field{expr: expr{col: toColumn(table, column, opts...)}}
 }
 
+// NewUnsafeFieldRaw create new field by native sql
+//
+// Warning: Using NewUnsafeFieldRaw with raw SQL exposes your application to SQL injection vulnerabilities.
+// Always validate/sanitize inputs and prefer parameterized queries or NewField methods for field construction.
+// Use this low-level function only when absolutely necessary, and ensure any embedded values are properly escaped.
+func NewUnsafeFieldRaw(rawSQL string, vars ...interface{}) Field {
+	return Field{expr: expr{e: clause.Expr{SQL: rawSQL, Vars: vars}}}
+}
+
 // NewSerializer create new field2
 func NewSerializer(table, column string, opts ...Option) Serializer {
 	return Serializer{expr: expr{col: toColumn(table, column, opts...)}}
diff --git a/field/export_test.go b/field/export_test.go
@@ -89,6 +89,56 @@ func TestExpr_Build(t *testing.T) {
 			Expr:   field.NewField("", "id").GroupConcat(),
 			Result: "GROUP_CONCAT(`id`)",
 		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1"),
+			Result:       "if(column1=?,column2,column3)",
+			ExpectedVars: []interface{}{"1"},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").Eq(p),
+			Result:       "if(column1=?,column2,column3) = ?",
+			ExpectedVars: []interface{}{"1", p},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", field.NewField("", "new_id")).Eq(p),
+			Result:       "if(column1=`new_id`,column2,column3) = ?",
+			ExpectedVars: []interface{}{p},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").EqCol(field.NewField("", "new_id")),
+			Result:       "if(column1=?,column2,column3) = `new_id`",
+			ExpectedVars: []interface{}{"1"},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").EqCol(field.NewField("", "new_id").WithTable("tableB")),
+			Result:       "if(column1=?,column2,column3) = `tableB`.`new_id`",
+			ExpectedVars: []interface{}{"1"},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").IsNull(),
+			Result:       "if(column1=?,column2,column3) IS NULL",
+			ExpectedVars: []interface{}{"1"},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").GroupConcat(),
+			Result:       "GROUP_CONCAT(if(column1=?,column2,column3))",
+			ExpectedVars: []interface{}{"1"},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").Desc(),
+			Result:       "if(column1=?,column2,column3) DESC",
+			ExpectedVars: []interface{}{"1"},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").IfNull(p),
+			Result:       "IFNULL(if(column1=?,column2,column3),?)",
+			ExpectedVars: []interface{}{"1", p},
+		},
+		{
+			Expr:         field.NewUnsafeFieldRaw("if(column1=?,column2,column3)", "1").As("column4"),
+			Result:       "if(column1=?,column2,column3) AS `column4`",
+			ExpectedVars: []interface{}{"1"},
+		},
 		{
 			Expr:   field.Func.UnixTimestamp(),
 			Result: "UNIX_TIMESTAMP()",
