<p>Consider the following fetch of the URLParam userId passed on a URL:</p> <pre class="prettyprint"><code>userId := http.Request.URL.Query().Get("userId") </code></pre> <p>Is this safe (escaped and ready to be used in a db call) as it is or do I need to escape it /sanitize it before use?</p>

Are query strings in golang safe?

Consider the following fetch of the URLParam userId passed on a URL:

userId := http.Request.URL.Query().Get("userId")

Is this safe (escaped and ready to be used in a db call) as it is or do I need to escape it /sanitize it before use?

939

asked Mar 18 '23 16:03

This is not db-safe, and you should use the database driver's escaping before putting anything in it.

You should use functions like sql.DB.Query() that let you pass arguments and properly escape them. http://golang.org/pkg/database/sql/#DB.Query

e.g.

userId := http.Request.URL.Query().Get("userId")

rows, err := db.Query("SELECT * FROM users WHERE id=?", userId)

107

answered Mar 27 '23 21:03

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!