I research around the forum of postgresql injection in Go and I found some useful information in SQL injection like below:
How to execute an IN lookup in SQL using Golang?
How can I prevent SQL injection attacks in Go while using "database/sql"?
but I still need some advice because my code in Go is using a different kind of code and usecases. some usecase/question i need advice for are like this
INSERT INTO a (a1,a2,a3) VALUES (%d,%d,%s)
using fmt.Sprintf, I know using sprinft is bad. so is there any solution for this loop query for insert ?
Ex: INSERT INTO a (a1,a2,a3) VALUES (%d,%d,%s),(%d,%d,%s),(%d,%d,%s)
%d
instead of %s
?Select * from a where text = $1
-> is using this $1
safe ?
and
Ex : Select * from a where text = :text
-> is this safe in function NamedQuery?Kindly need your advice guys. Thank you!
Firstly, usually prefer to use the db placeholders ? $1 etc.
General rules: