Here is a hand-on demonstration of an SQL injection attack in Go using MariaDB / MySQL with driver multiStatements parameter set to true. By default this is set to false, so if you are testing make sure it’s set to true. After testing the SQL injection, the demonstration continues by using SQL statement parameters – which mitigates any possible SQL injection.
Example SQL injection (include space after — below) code:
'); truncate messages; -- Get the code from the repository: https://github.com/sanjib/go-sql-injection-demo
There are 3 relevant files:
- main.go
- home.tmpl
- db.sql
Simply run the main.go file using “go run .” in the current folder where the files are placed. The home.tmpl is a template file which is used in the code. The db.sql contains the schema for you to create the table.
You should also change the openDB() function where the DSN (data source name) to include your username, password and database name to your own MariaDB / MySQL database. For example, I have used:
db, err = sql.Open("mysql", "root@/va_test1?parseTime=true&multiStatements=true")Replace, “root” with your username and “va_test1” with your database name. If you have a password, use it after the username preceded with a colon. For example:
db, err = sql.Open("mysql", "your_username:your_password@/your_database_name?parseTime=true&multiStatements=true")
oak.dev 