kti-matt
commented
5 years ago I see there is a real potential issue (I mean, not just avoiding a sysadmin attacking his/her own database)- this line will go boom if the user's password has a single quote:
_, err = db.Query("ALTER USER "+ dbOwner +" WITH ENCRYPTED PASSWORD '"+ dbOwnerPwd +"';")
db.Querycalls should use parameters to avoid SQL injection.This is not a major concern in this case because the values come from environment variables supplied by a sysadmin, but using parameters is a good practice.
There are examples here: https://golang.org/pkg/database/sql/#DB.Query and https://flaviocopes.com/golang-sql-database/#select-a-single-row.