|
| 1 | +--- |
| 2 | +id: g201 |
| 3 | +title: G201: SQL query construction using format string |
| 4 | +--- |
| 5 | + |
| 6 | +[SQL injection](https://en.wikipedia.org/wiki/SQL_injection) is one of the top security issues developers make and the consequences of this can be severe. |
| 7 | +Using the format string function in the fmt Golang package to dynamically create an SQL query can easily create a possibility for SQL injection. The reason is that the format string function doesn't escape special characters like ' and it's easy to add second SQL command in the format string. |
| 8 | + |
| 9 | +## Example problematic code: |
| 10 | + |
| 11 | +``` |
| 12 | +package main |
| 13 | +import ( |
| 14 | + "database/sql" |
| 15 | + "fmt" |
| 16 | + "os" |
| 17 | +) |
| 18 | +func main(){ |
| 19 | + db, err := sql.Open("sqlite3", ":memory:") |
| 20 | + if err != nil { |
| 21 | + panic(err) |
| 22 | + } |
| 23 | + q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1]) |
| 24 | + rows, err := db.Query(q) |
| 25 | + if err != nil { |
| 26 | + panic(err) |
| 27 | + } |
| 28 | + defer rows.Close() |
| 29 | +} |
| 30 | +``` |
| 31 | + |
| 32 | +## Gosec command line output |
| 33 | + |
| 34 | +``` |
| 35 | +[examples/main.go:14] - G201: SQL string formatting (Confidence: HIGH, Severity: MEDIUM) |
| 36 | + > fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1]) |
| 37 | +``` |
| 38 | + |
| 39 | +## The right way |
| 40 | + |
| 41 | +Two of the ways to escape SQL injection when using Golang are: |
| 42 | + |
| 43 | +1) use static queries |
| 44 | + |
| 45 | +``` |
| 46 | +package main |
| 47 | +import ( |
| 48 | + "database/sql" |
| 49 | +) |
| 50 | +const staticQuery = "SELECT * FROM foo WHERE age < 32" |
| 51 | +func main(){ |
| 52 | + db, err := sql.Open("sqlite3", ":memory:") |
| 53 | + if err != nil { |
| 54 | + panic(err) |
| 55 | + } |
| 56 | + rows, err := db.Query(staticQuery) |
| 57 | + if err != nil { |
| 58 | + panic(err) |
| 59 | + } |
| 60 | + defer rows.Close() |
| 61 | +} |
| 62 | +``` |
| 63 | + |
| 64 | +2) use the database/sql |
| 65 | +By using the database/sql package along with argument placeholders you are able to construct SQL statements that are automatically escaped properly. |
| 66 | +The key distinction here is that you aren’t trying to construct the SQL statement yourself, but instead you are providing arguments that can be easily escaped. The underlying driver for database/sql will ultimately be aware of what special characters it needs to handle and will escape them for you, preventing any nefarious SQL from running. |
| 67 | + |
| 68 | + |
| 69 | +``` |
| 70 | +package main |
| 71 | +import ( |
| 72 | + "database/sql" |
| 73 | + "bufio" |
| 74 | +
|
| 75 | +) |
| 76 | +func main(){ |
| 77 | + db, err := sql.Open("sqlite3", ":memory:") |
| 78 | + if err != nil { |
| 79 | + panic(err) |
| 80 | + } |
| 81 | + in := bufio.NewReader(os.Stdin) |
| 82 | + name, err := in.ReadString('\n') |
| 83 | + if err != nil { |
| 84 | + panic(err) |
| 85 | + } |
| 86 | + rows, err := db.Query("SELECT * FROM foo WHERE name = ?", name) |
| 87 | + if err != nil { |
| 88 | + panic(err) |
| 89 | + } |
| 90 | + defer rows.Close() |
| 91 | +} |
| 92 | +``` |
| 93 | + |
| 94 | +It is highly recommended to use the database/sql package in Golang instead of fmt package for SQL queries. |
| 95 | + |
| 96 | +## See also |
| 97 | + |
| 98 | +* https://www.calhoun.io/what-is-sql-injection-and-how-do-i-avoid-it-in-go/ |
| 99 | +* https://astaxie.gitbooks.io/build-web-application-with-golang/en/09.4.html |
0 commit comments