Are query strings in golang safe?
Consider the following selection of a URLParam that is passed to the URL:
userId := http.Request.URL.Query().Get("userId")
Is this safe (escaped and ready to use in a db call) as it is, or do I need to avoid / sanitize it before using it?
+3
Adergaard
source
to share
1 answer
This is not db safe, and you must use escaping the database driver before putting anything into it.
You should use functions such as sql.DB.Query()
that will allow you to pass arguments and avoid them properly. http://golang.org/pkg/database/sql/#DB.Query
eg.
userId := http.Request.URL.Query().Get("userId")
rows, err := db.Query("SELECT * FROM users WHERE id=?", userId)
+6
Not_a_Golfer
source
to share