SQLi and templates

[lojikil]

Most of the non-compliant Go SQL code I see is actually abuse of templates, rather than string joins. We should show non-compliance via templating as well, so that developers do not think that templating can necessarily save them here.

[PauloASilva]

Hi @lojikil,
Can you please provide an example of it?

Cheers,
Paulo A. Silva

[PauloASilva]

By "abuse of templates" do you mean stuff like:

rows, err := db.Query(fmt.Sprintf("SELECT * FROM user WHERE id = %s", id))

@lojikil would you like to open a Pull Request?

Cheers,
Paulo A. Silva

[Demiserular]

Hey @PauloASilva , I have got this whole week free , If you want to assign this or some other issues to me , I would love to resolve those.

[Demiserular]

@PauloASilva Should I include edge cases like dynamic table/column names, LIKE clauses, or IN clauses with variable-length parameters?
few Examples from my side are :
// Unsafe
rows, err := db.Query(fmt.Sprintf("SELECT * FROM user WHERE id = %s", id))
// Safe (MySQL)
rows, err := db.Query("SELECT * FROM user WHERE id = ?", id)
// Safe (Postgres)
rows, err := db.Query("SELECT * FROM user WHERE id = $1", id) ...

or Any specific attack scenarios you'd like demonstrated?

Looking forward to your feedback.