Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the
query. However, this rule doesn’t detect SQL injections (unlike rule S3649), the goal is only to highlight complex/formatted queries.
Ask Yourself Whether
- Some parts of the query come from untrusted values (like user inputs).
- The query is repeated/duplicated in other parts of the code.
- The application must support different types of relational databases.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Sensitive Code Example
func getName(db *sql.DB, id string) (string, error) {
var name string
row := db.QueryRow("SELECT name FROM users WHERE id = " + id) // Sensitive
if err := row.Scan(&name); err != nil {
if err == sql.ErrNoRows {
return name, fmt.Errorf("No name found for id %s", id)
}
}
return name, nil
}
Compliant Solution
func getName(db *sql.DB, id string) (string, error) {
var name string
row := db.QueryRow("SELECT name FROM users WHERE id = ?", id)
if err := row.Scan(&name); err != nil {
if err == sql.ErrNoRows {
return name, fmt.Errorf("No name found for id %s", id)
}
}
return name, nil
}
See
