- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: go-security/sql-format-string
Language: Go
Severity: Error
Category: Security
Queries vulnerable to SQL injection should be avoided.
Consider this code snippet:
func main () {
q := fmt.Sprintf("SELECT * FROM users where name = '%s'", username)
rows, err := db.Query(q)
}
In this code snippet, the SQL query is dynamically constructed by directly injecting the username
variable into the query string using string concatenation. This approach is dangerous because it allows an attacker to manipulate the value of username
and potentially execute malicious SQL commands.
For example, if an attacker sets the username
value to '; DROP TABLE users;--
, the resulting constructed query will be:
SELECT * FROM users where name = ''; DROP TABLE users;--
This will result in the execution of two separate SQL statements: the first statement will retrieve all user records, and the second statement will drop the entire users
table from the database.
To avoid SQL injection vulnerabilities, it is essential to use parameterized queries or prepared statements. These techniques separate the SQL query from user-supplied input and ensure that the input is treated only as data, not as executable SQL code.
Here’s an example of how the above code can be modified to use parameterized queries:
func main() {
q := "SELECT * FROM users WHERE name = ?"
rows, err := db.Query(q, username)
}
By using the ?
placeholder in the SQL query and passing the username
variable as a query parameter, the database driver takes care of properly escaping the input and preventing SQL injection attacks.
By following best practices and using parameterized queries or prepared statements, you can ensure the security and integrity of your database operations.
func (p *Profile) UnsafeQueryGetData(uid string) error {
/* this funciton use to get data Profile from database with vulnerable query */
DB, err = database.Connect()
getProfileSql := fmt.Sprintf(`SELECT p.user_id, p.full_name, p.city, p.phone_number
FROM Profile as p,Users as u
where p.user_id = u.id
and u.id=%s`, uid) //here is the vulnerable query
rows, err := DB.Query(getProfileSql)
if err != nil {
return err //this will return error query to clien hmmmm.
}
defer rows.Close()
//var profile = Profile{}
for rows.Next() {
err = rows.Scan(&p.Uid, &p.Name, &p.City, &p.PhoneNumber)
if err != nil {
log.Printf("Row scan error: %s", err.Error())
return err
}
}
return nil
}
func main () {
q := fmt.Sprintf("SELECT * FROM users where name = '%s'", username)
rows, err := db.Query(q)
}
func main () {
q := "SELECT * FROM users where name = 'foobar'"
rows, err := db.Query(q)
}