SQL Injection with GO and Fix

aditya goel
6 min readFeb 13, 2022

--

In case you are landing here directly, it’s strongly suggested that you go and read through this for fundamentals.

In this blog, we shall be looking at following concepts :-

  • Reading SQL-files in GO.
  • Reading text files through Standard Input in GO.
  • Running POSTGRESQL through Docker Container.
  • Connecting to SQL in GO.
  • Demonstrating SQL Injection with GO.
  • Fixing the SQL Injection in GO.

Question :- Demonstrate how SQL Injection can be done in GO ?

Answer:- We shall be demonstrating the SQL-Injection process by using POSTGRE SQL :

Step #1.) Let’s first launch the POSTGRES database through docker container :-

docker container run -e POSTGRES_HOST_AUTH_METHOD=trust -p 5432:5432 postgres:13-alpine

We have the DockerFile being placed in one of the directory :-

Step #2.) In an new terminal, let’s now see whether our container got launched :-

docker container ps -a

Step #3.) Let’s now login to the query terminal of our database and see the database :-

docker container exec -it 85dbf0b157c5 psql -U postgres -h localhost

Step #4.) Let’s head to our code now and start importing libraries :-

Step #4.) Let’s now write the MAIN code :-

  • At line #15, we basically read from the Standard Input.
  • At line #23, we establish connection to the database.
  • At line #31, we issue intent to the GO that, we wish to close the database.
  • At line #33 and 38, we go ahead to createTables and insertStatement to the table respectively.

Step #5.) Let’s now investigate the code for above two methods being used at line #33 and 38. For the same, we have another file where-in we read the queries (to be executed) from external files :-

Step #5.) For line #12, we have following file :-

Step #6.) For line #15 above, we have following file :-

Step #7.) Here is how the code for function : createTables() looks like :-

Step #8.) Here is how the code for function : insertLog() looks like :-

Step #9.) Let’s now run the setup for GO Language first :-

go mod init hello

Above command creates an go.mod file. You can think of Go.mod as the packages you want.

Step #10.) We now install the pq tool first, @ our working directory, as the same has been inserted into the step #1 above.

go get github.com/lib/pq

Note that, Go Get tool installs one dependency at a time. And it installs the latest version of the package.

Step #11.) As a result of above two steps, we can also see that, the new file is generated, called Go.mod and Go.sum.

  • You can think of Go.mod as the packages you want.
  • You can think of Go.sum as the packages that you actually require.

Step #12.) Now, here is the text file that, we shall be executing with above code :-

Step #13.) Now, let’s run our code and observe the output :-

Step #14.) Let’s verify the data in our database now :-

** SQL-Injection STARTs **

Step #15.) Now, here is the text file that, we shall be executing with above code :-

Step #16.) Now, let’s run our code and observe the output :-

Step #17.) Let’s verify the data in our database now and we should not be surprised because the entire data along with tables have been deleted :-

** Fix to safeguard against SQL-Injection **

Step #18.) Here is how the insert query looks like now :-

Step #19.) Below is how the code for insertion now looks like :-

Step #20.) Now, here is the text file that, we shall be executing with above code :-

Step #21.) Now, lets run the code and observe the output :-

Step #22.) Now, let’s again perform the sql injection and re-execute below text file that with above code :-

Step #23.) Now, let’s run our code and observe the output :-

Step #24.) Let’s verify the data in our database now and we observe the below tables do exist along with the both rows into the same. Thus, we have guarded ourselves against the SQL Injection Attack now :-

That’s all in this section. If you liked reading this blog, kindly do press on clap button multiple times, to indicate your appreciation. We would see you in next series.

References :-

--

--

aditya goel
aditya goel

Written by aditya goel

Software Engineer for Big Data distributed systems

Responses (1)