Day-to-day database operation requires, from an administrator,
deep knowledge of db internals and security issues, in particular
things like SQL injections. In order to prevent such kind of an
attack, we have included go-sql-driver into our code for secure
placeholder escaping.
Unfortunately, not all cases are secured by the driver.
In case we are using the standard
driver for working with MySQL, if we need to pass a variable
to the database query, we use a placeholder “?” in order for the
server to understand that it needs to process the incoming
variable to avoid injection. It works fine with just regular
SELECT/INSERT/UPDATE statements, but, unfortunately, MySQL server
is not able to process all types of queries.
For example:
db.Exec("CREATE USER ?@? IDENTIFIED BY ?", name, host, pass)
This query will return an error from the …
[Read more]