Are query strings in golang safe?

Question

Consider the following selection of a URLParam that is passed to the URL:

userId := http.Request.URL.Query().Get("userId")

Is this safe (escaped and ready to use in a db call) as it is, or do I need to avoid / sanitize it before using it?

+3

Adergaard 22 Aug 14 at 14:07

1 answer

Not_a_Golfer · Accepted Answer · 2014-08-22T14:08:56+0000

This is not db safe, and you must use escaping the database driver before putting anything into it.

You should use functions such as sql.DB.Query()

that will allow you to pass arguments and avoid them properly. http://golang.org/pkg/database/sql/#DB.Query

eg.

userId := http.Request.URL.Query().Get("userId")

rows, err := db.Query("SELECT * FROM users WHERE id=?", userId)