initial Go version of sql injection demo

2025-12-15 18:03:03 +01:00 · 2025-09-01 22:19:22 -07:00
commit a47c7da446
3 changed files with 114 additions and 0 deletions
--- a/add-user.go
+++ b/add-user.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+    "bufio"
+    "fmt"
+    "os"
+    "os/exec"
+    "strconv"
+    "strings"
+    "time"
+)
+
+func writeLogf(format string, args ...any) {
+    ts := time.Now().Format("2006-01-02 15:04:05")
+    fmt.Fprintf(os.Stderr, "[%s] "+format, append([]any{ts}, args...)...)
+}
+
+func getUserInfo() string {
+    in := bufio.NewReader(os.Stdin)
+    fmt.Print("*** Welcome to sql injection ***\n")
+    fmt.Print("Please enter name: ")
+    line, _ := in.ReadString('\n')
+    return strings.TrimSpace(line)
+}
+
+func getNewID() int {
+    return os.Getpid()
+}
+
+func writeInfo(id int, info string) {
+    // UNSAFE: build SQL dynamically from untrusted input
+    query := fmt.Sprintf("INSERT INTO users VALUES (%d, '%s')", id, info)
+    writeLogf("query: %s\n", query)
+
+    // Execute via sqlite3 CLI to avoid external Go dependencies
+    cmd := exec.Command("sqlite3", "users.sqlite", query)
+    cmd.Stdout = os.Stdout
+    cmd.Stderr = os.Stderr
+    if err := cmd.Run(); err != nil {
+        fmt.Fprintf(os.Stderr, "SQL error: %v\n", err)
+        os.Exit(1)
+    }
+}
+
+func main() {
+    info := getUserInfo()
+    id := getNewID()
+    // ensure id is used (silence potential warnings)
+    _ = strconv.Itoa(id)
+    writeInfo(id, info)
+}
--- a/57
+++ b/57
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+set -e
+
+script=$(basename "$0")
+
+GREEN='\033[0;32m'
+MAGENTA='\033[0;95m'
+NC='\033[0m'
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+
+help() {
+    echo -e "Usage: ./${script} [options]" \
+         "\n${YELLOW}Options: ${NC}" \
+         "\n\t -h  ${GREEN}Show Help ${NC}" \
+         "\n\t -c  ${MAGENTA}Creates a users table ${NC}" \
+         "\n\t -s  ${MAGENTA}Shows all records in the users table ${NC}" \
+         "\n\t -r  ${RED}Removes users table ${NC}"
+}
+
+remove-db () {
+    rm -f users.sqlite
+}
+
+create-db () {
+    echo '
+    CREATE TABLE users (
+        user_id INTEGER not null,
+        name TEXT NOT NULL
+    );
+    '  | sqlite3 users.sqlite
+}
+
+show-db () {
+    echo '
+    SELECT * FROM users;
+    ' | sqlite3 users.sqlite
+}
+
+if [ $# -eq 0 ]; then
+   help
+   exit 0
+fi
+
+while getopts "h?csr" option; do
+    case "${option}" in
+        h|\?)
+            help
+            exit 0
+            ;;
+        c)  create-db ;;
+        s)  show-db ;;
+        r)  remove-db ;;
+    esac
+done
+
--- a/build.sh
+++ b/build.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+go build -o add-user-go ./add-user.go
+echo "Built ./add-user-go"
+