Bobby Tables: A guide to preventing SQL injection
> Go

Go

The database/sql package from the standard library provides methods for executing parameterized queries either as prepared statements or as one-off queries.

age := 27
rows, err := db.Query("SELECT name FROM users WHERE age=?", age)

In addition to database/sql you must also import an appropriate driver for your database.

The specific format of the parameter placeholders (?, $1, etc) is not specified by database/sql. That detail is determined by your selected driver so check their documentation. For example the PostgreSQL driver github.com/lib/pq supports numeric parameters that can be reused such as in this snippet from their docs:

rows, err := db.Query(`SELECT name FROM users WHERE favorite_fruit = $1
    OR age BETWEEN $2 AND $2 + 3`, "orange", 64)

Additional options such as named parameters can be obtained using the github.com/jmoiron/sqlx package.

You can learn more about using SQL databases in Go in the database/sql documentation and through the go-database-sql tutorial.

This site's content is available under the Creative Commons Attribution-ShareAlike 3.0 License.