Skip to content

This library is not safe and should not be trusted to prevent SQL Injection Attacks. #2

New issue
New issue
Closed
Closed
This library is not safe and should not be trusted to prevent SQL Injection Attacks.#2
@kevburnsjr

Description

@kevburnsjr
kevburnsjr
opened on Aug 1, 2022

Example shows

sql := sqlstring.Format("select * from users where name=? and age=? limit ?,?", "t'est", 10, 10, 10)
fmt.Printf("sql: %s\n", sql)

Outputting

sql: select * from users where name='t\'est' and age=10 limit 10,10

Which is correct. However, this protection can easily be defeated:

sql := sqlstring.Format("select * from users where name=? and age=? limit ?,?", `t\'est`, 10, 10, 10)
fmt.Printf("sql: %s\n", sql)

Outputting

sql: select * from users where name='t\\'est' and age=10 limit 10,10

The double backslash fails to escape the single quote resulting in SQL injection vulnerability.

https://go.dev/play/p/qVnax1F8P9M

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions