Closed nicobouliane closed 7 years ago
Well, we didn't cover postgresql because it isn't part of the standard library.
I also did a quick search and noticed that go-mssqldb uses mssqldb's standard format which is also different:
db.QueryContext(ctx,
select * from t where ID = @ID;, sql.Named("ID", 6))
Maybe we can mention that developers should read the documentation of the driver they're using regarding this, and note the fact that some database drivers use a different syntax for placeholders?
/cc @PauloASilva @ErezYalon
Sounds like a good idea ! thanks for your reply.
There's already a footnote stating that
The placeholder syntax in prepared statements is database-specific.
Ok I'll close the issue then, although, in my opinion a little more emphasis on this does not seem like a bad idea given it's importance.
@jparnaut
Ok I'll close the issue then, although, in my opinion a little more emphasis on this does not seem like a bad idea given it's importance.
I do agree, let's reopen the issue and work on it.
@nicobouliane would you like to rewrite the section to include your suggestion?
Waiting for PR#20
PR#30 closes this issue.
https://github.com/Checkmarx/Go-SCP/blob/master/src/output-encoding/sql-injection.md
It could be specified that postgresql use $1, $2, $2... and that mysql use ?, ?...