Menu
Consider the following fetch of the URLParam userId passed on a URL:
userId := http.Request.URL.Query().Get("userId")
Is this safe (escaped and ready to be used in a db call) as it is or do I need to escape it /sanitize it before use?
939
This is not db-safe, and you should use the database driver's escaping before putting anything in it.
You should use functions like sql.DB.Query() that let you pass arguments and properly escape them. http://golang.org/pkg/database/sql/#DB.Query
e.g.
userId := http.Request.URL.Query().Get("userId")
rows, err := db.Query("SELECT * FROM users WHERE id=?", userId)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
