How to use SQL injection protection in Golang?

How to defend against SQL injection: Use parameterized queries: Use user input as parameters of the query instead of including it in the query string. Using the SQLX package: Use the SQLX library to parameterize queries with named queries and placeholders. Validate input: Validate the validity of user input before using it in a SQL query.

How to defend against SQL injection in Go

SQL injection is a common web application security vulnerability that allows attacks Authors modify SQL queries to access or modify unauthorized data. To prevent SQL injection in Go, you can take the following steps:

1. Use parameterized queries

Parameterized queries take user input as parameters of the query instead included directly in the query string. This prevents attackers from modifying the query to inject malicious code.

Example:

import (
    "database/sql"
    "fmt"
)

func main() {
    db, err := sql.Open("mysql", "root:password@/database_name")
    if err != nil {
        panic(err)
    }
    defer db.Close()

    username := "username"
    stmt, err := db.Prepare("SELECT * FROM users WHERE username = ?")
    if err != nil {
        panic(err)
    }

    rows, err := stmt.Query(username)
    if err != nil {
        panic(err)
    }
    defer rows.Close()

    if !rows.Next() {
        fmt.Println("用户不存在。")
    }
}

2. Using the SQLX package

SQLX is a Go library that provides a typed way to execute SQL queries and prevent SQL injection. It uses named queries and placeholders to parameterize queries.

Example:

import (
    "database/sql"
    "fmt"

    "github.com/jmoiron/sqlx"
)

func main() {
    db, err := sql.Open("mysql", "root:password@/database_name")
    if err != nil {
        panic(err)
    }
    defer db.Close()

    dbx := sqlx.NewDb(db, "mysql")

    username := "username"
    stmt, err := dbx.PrepareNamed("SELECT * FROM users WHERE username = :username")
    if err != nil {
        panic(err)
    }

    rows, err := stmt.Queryx(map[string]interface{}{"username": username})
    if err != nil {
        panic(err)
    }
    defer rows.Close()

    if !rows.Next() {
        fmt.Println("用户不存在。")
    }
}

3. Validate input

Verify user input is valid before using it in a SQL query sex. Make sure the input is formatted correctly and does not contain any malicious characters.

Example:

func validateInput(input string) error {
    if len(input) > 100 || len(input) == 0 {
        return errors.New("无效的输入长度")
    }

    for _, r := range input {
        if !unicode.IsLetter(r) && !unicode.IsDigit(r) {
            return errors.New("无效的输入字符")
        }
    }

    return nil
}

By following these steps, you can help prevent SQL injection vulnerabilities and make your Go web applications more secure.

The above is the detailed content of How to use SQL injection protection in Golang?. For more information, please follow other related articles on the PHP Chinese website!