The format package doesn't escape strings
icholy opened this issue · 3 comments
icholy commented
The String()
method on builders is completely vulnerable to sql injection.
package main
import (
"fmt"
lk "github.com/ulule/loukoum"
)
func main() {
fmt.Println(
lk.Select("*").From("users").Where(
lk.Condition("name").Equal("' OR 1 == 1 --"),
).String(),
)
}
output:
SELECT * FROM users WHERE (name = '' OR 1 == 1 --')
novln commented
Hello,
If you want safety, you should use lk.Select("*").From("users").Where(...).Prepare()
String()
is mainly used for debugging and have a huge footprint: (see bellow)
Line 26 in d6ee7ea
Hope that helps.
icholy commented
@novln I realise after reading through the code, but that wasn't mentioned anywhere in the docs. Something like that should be front and center, bolded, in a red font.
novln commented
Noted 😄
I'll do a swipe on the documentation to ensure that this kind of information are shared.
If you find anything that need clarification, don't hesitate.