Skip to content
This repository was archived by the owner on Feb 27, 2026. It is now read-only.

Add documentation for rule G201 #12

Merged
gcmurphy merged 2 commits into from
Feb 19, 2019
Merged

Add documentation for rule G201 #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eaf1601
Add documentation for rule G201
Feb 13, 2019
691b8e7
Add documentation about the use of database/sql package
Feb 18, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 99 additions & 0 deletions docs/rules/g201_sql_injection_via_format_string.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
---
id: g201
title: G201: SQL query construction using format string
---

[SQL injection](https://en.wikipedia.org/wiki/SQL_injection) is one of the top security issues developers make and the consequences of this can be severe.
Using the format string function in the fmt Golang package to dynamically create an SQL query can easily create a possibility for SQL injection. The reason is that the format string function doesn't escape special characters like ' and it's easy to add second SQL command in the format string.

## Example problematic code:

```
package main
import (
"database/sql"
"fmt"
"os"
)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
q := fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1])
rows, err := db.Query(q)
if err != nil {
panic(err)
}
defer rows.Close()
}
```

## Gosec command line output

```
[examples/main.go:14] - G201: SQL string formatting (Confidence: HIGH, Severity: MEDIUM)
> fmt.Sprintf("SELECT * FROM foo where name = '%s'", os.Args[1])
```

## The right way

Two of the ways to escape SQL injection when using Golang are:

1) use static queries

Copy link
Copy Markdown
Member

@gcmurphy gcmurphy Feb 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can also be safe to use a prepared SQL query, or using parametrised queries like db.Query("SELECT * FROM foo WHERE name = ?", name) in addition to static queries.

```
package main
import (
"database/sql"
)
const staticQuery = "SELECT * FROM foo WHERE age < 32"
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
rows, err := db.Query(staticQuery)
if err != nil {
panic(err)
}
defer rows.Close()
}
```

2) use the database/sql
By using the database/sql package along with argument placeholders you are able to construct SQL statements that are automatically escaped properly.
The key distinction here is that you aren’t trying to construct the SQL statement yourself, but instead you are providing arguments that can be easily escaped. The underlying driver for database/sql will ultimately be aware of what special characters it needs to handle and will escape them for you, preventing any nefarious SQL from running.


```
package main
import (
"database/sql"
"bufio"

)
func main(){
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
panic(err)
}
in := bufio.NewReader(os.Stdin)
name, err := in.ReadString('\n')
if err != nil {
panic(err)
}
rows, err := db.Query("SELECT * FROM foo WHERE name = ?", name)
if err != nil {
panic(err)
}
defer rows.Close()
}
```

It is highly recommended to use the database/sql package in Golang instead of fmt package for SQL queries.

## See also

* https://www.calhoun.io/what-is-sql-injection-and-how-do-i-avoid-it-in-go/
* https://astaxie.gitbooks.io/build-web-application-with-golang/en/09.4.html
3 changes: 2 additions & 1 deletion website/sidebars.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@
"rules/g102",
"rules/g103",
"rules/g104",
"rules/g107"
"rules/g107",
"rules/g201"
]
}
}