Fix code scanning alert - Database query built from user-controlled sources

[brentlaster]

Tracking issue for:

• [ ] https://github.com/brentlaster/sec-demo/security/code-scanning/3

[brentlaster]

The code scanning alert indicates a vulnerability due to user-controlled sources being used to build database queries. Here are the steps to fix the issues identified:

Use Parameterized Queries:

Instead of using fmt.Sprintf() to build SQL queries, utilize parameterized queries to prevent SQL injection. Example Fix:

For the NameQuery function: // Old vulnerable code // rows, err := DB.Query(fmt.Sprintf("SELECT * FROM books WHERE name = '%s'", r))

// Fixed code using parameterized query rows, err := DB.Query("SELECT * FROM books WHERE name = ?", r) Apply similar fixes to AuthorQuery, ReadQuery, and any other functions that build queries from user input. Modify all affected functions:

Ensure all query functions in models/models.go use parameterized queries. Review the rest of the codebase:

Check for other instances where user input might be used directly in queries and apply the same fix. By implementing these changes, you can mitigate the risk of SQL injection attacks in your application.