Prevent SQL injection in Go by using parameterized queries with placeholders instead of string concatenation.
Prevent SQL injection in Go by using parameterized queries with placeholders instead of string concatenation. Never interpolate user input directly into SQL strings.
// Safe: Use '?' placeholders and pass values as arguments
row := db.QueryRow("SELECT name FROM users WHERE id = ?", userID)
var name string
err := row.Scan(&name)
This approach ensures the database driver treats input as data, not executable code.
SQL injection happens when bad actors sneak malicious code into your database queries through user input. By using placeholders (like '?') and passing data separately, you tell the database to treat that input strictly as text, not as commands to run. It's like putting a letter in a sealed envelope; the mail carrier delivers it without reading or acting on the contents.