4

Consider the following fetch of the URLParam userId passed on a URL:

userId := http.Request.URL.Query().Get("userId")

Is this safe (escaped and ready to be used in a db call) as it is or do I need to escape it /sanitize it before use?

Improve this question
4
  • Nothing should ever be assumed "safely escaped" - always use your database driver's parameterisation. Commented Aug 22, 2014 at 15:04
  • Thanks. Redis hasn't got such a method afaik but thanks anyways. Commented Aug 22, 2014 at 15:13
  • 1
    You didn't mention Redis—which isn't vulnerable because it's a key:value store. Values aren't inspected/processed, and commands are separate from data (unlike SQL). Commented Aug 22, 2014 at 15:21
  • Redis was an example of a "database" that has no such method. The fact that values aren't inspected there is irrelevant. The use of that value may later be in such context that it became harmful. Never mind, it's not important. I got the answer below and accepted it. Commented Aug 22, 2014 at 17:54

1 Answer 1

Reset to default
8

This is not db-safe, and you should use the database driver's escaping before putting anything in it.

You should use functions like sql.DB.Query() that let you pass arguments and properly escape them. http://golang.org/pkg/database/sql/#DB.Query

e.g.

userId := http.Request.URL.Query().Get("userId")

rows, err := db.Query("SELECT * FROM users WHERE id=?", userId)
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

what if userId == "1' or 1=1 -- -'INSERT INTO users ...'
@dalu it gets escaped in a way that wouldn't cause problems.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.