How can I prevent SQL injection attacks in Go while using "database/sql"?

go sql-injection
John Montague picture John Montague · Oct 13, 2014 · Viewed 21.3k times · Source

Building my first web-app and want to understand SQL injection better (https://github.com/astaxie/build-web-application-with-golang/blob/master/en/eBook/09.4.md).

How much protection against SQL injection do I get from just always using the 'database/sql' library and constructing queries using '?' instead of concatting strings? What kind of SQL injection attacks will I still have to worry about in that case?

Answer

OneOfOne picture OneOfOne · Oct 13, 2014

As long as you're using Prepare or Query, you're safe.

// this is safe
db.Query("SELECT name FROM users WHERE age=?", req.FormValue("age"))
// this allows sql injection.
db.Query("SELECT name FROM users WHERE age=" + req.FormValue("age"))

Related questions

How to check if a map contains a key in Go?

I know I can iterate over a map m by, for k, v := range m { ... } and look for a key but is there a more efficient way of testing a key's existence in a map? I couldn't find the answer …

Read More
How can I convert a zero-terminated byte array to string?

I need to read [100]byte to transfer a bunch of string data. Because not all of the strings are precisely 100 characters long, the remaining part of the byte array is padded with 0s. If I convert [100]byte to string by: …

Read More
How to efficiently concatenate strings in go

In Go, a string is a primitive type, which means it is read-only, and every manipulation of it will create a new string. So if I want to concatenate strings many times without knowing the length of the resulting string, …

Read More