This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다. 현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.
Metadata
ID:go-security/sql-string-concatenation
Language: Go
Severity: Error
Category: Security
Description
Queries vulnerable to SQL injection should be avoided.
Consider this code snippet:
funcmain(){q:=fmt.Sprintf("SELECT * FROM users where name = '%s'",username)rows,err:=db.Query(q)}
In this code snippet, the SQL query is dynamically constructed by directly injecting the username variable into the query string using string concatenation. This approach is dangerous because it allows an attacker to manipulate the value of username and potentially execute malicious SQL commands.
For example, if an attacker sets the username value to '; DROP TABLE users;--, the resulting constructed query will be:
SELECT*FROMuserswherename='';DROPTABLEusers;--
This will result in the execution of two separate SQL statements: the first statement will retrieve all user records, and the second statement will drop the entire users table from the database.
To avoid SQL injection vulnerabilities, it is essential to use parameterized queries or prepared statements. These techniques separate the SQL query from user-supplied input and ensure that the input is treated only as data, not as executable SQL code.
Here’s an example of how the above code can be modified to use parameterized queries:
funcmain(){q:="SELECT * FROM users WHERE name = ?"rows,err:=db.Query(q,username)}
By using the ? placeholder in the SQL query and passing the username variable as a query parameter, the database driver takes care of properly escaping the input and preventing SQL injection attacks.
By following best practices and using parameterized queries or prepared statements, you can ensure the security and integrity of your database operations.
Non-Compliant Code Examples
funcmain(){q:="SELECT * FROM users where name = '"+username+"'"rows,err:=db.Query(q)}
Compliant Code Examples
funcmain(){q:="SELECT * FROM users where name = 'username'"rows,err:=db.Query(q)}
원활한 통합. Datadog Code Security를 경험해 보세요
Datadog Code Security
이 규칙을 사용해 Datadog Code Security로 코드를 분석하세요
규칙 사용 방법
1
2
rulesets:- go-security # Rules to enforce Go security.
리포지토리 루트에 위의 내용을 포함하는 static-analysis.datadog.yml을 만듭니다
무료 IDE 플러그인을 사용하거나 CI 파이프라인에 Code Security 검사를 추가합니다