From a47c7da446a45065faced55505b18975b49e49dd Mon Sep 17 00:00:00 2001
From: michael hohn <mhhohn@gmail.com>
Date: Mon, 1 Sep 2025 22:19:22 -0700
Subject: [PATCH] initial Go version of sql injection demo

---
 add-user.go | 51 +++++++++++++++++++++++++++++++++++++++++++++++
 admin       | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 build.sh    |  6 ++++++
 3 files changed, 114 insertions(+)
 create mode 100644 add-user.go
 create mode 100755 admin
 create mode 100755 build.sh

diff --git a/add-user.go b/add-user.go
new file mode 100644
index 0000000..0b13bae
--- /dev/null
+++ b/add-user.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+    "bufio"
+    "fmt"
+    "os"
+    "os/exec"
+    "strconv"
+    "strings"
+    "time"
+)
+
+func writeLogf(format string, args ...any) {
+    ts := time.Now().Format("2006-01-02 15:04:05")
+    fmt.Fprintf(os.Stderr, "[%s] "+format, append([]any{ts}, args...)...)
+}
+
+func getUserInfo() string {
+    in := bufio.NewReader(os.Stdin)
+    fmt.Print("*** Welcome to sql injection ***\n")
+    fmt.Print("Please enter name: ")
+    line, _ := in.ReadString('\n')
+    return strings.TrimSpace(line)
+}
+
+func getNewID() int {
+    return os.Getpid()
+}
+
+func writeInfo(id int, info string) {
+    // UNSAFE: build SQL dynamically from untrusted input
+    query := fmt.Sprintf("INSERT INTO users VALUES (%d, '%s')", id, info)
+    writeLogf("query: %s\n", query)
+
+    // Execute via sqlite3 CLI to avoid external Go dependencies
+    cmd := exec.Command("sqlite3", "users.sqlite", query)
+    cmd.Stdout = os.Stdout
+    cmd.Stderr = os.Stderr
+    if err := cmd.Run(); err != nil {
+        fmt.Fprintf(os.Stderr, "SQL error: %v\n", err)
+        os.Exit(1)
+    }
+}
+
+func main() {
+    info := getUserInfo()
+    id := getNewID()
+    // ensure id is used (silence potential warnings)
+    _ = strconv.Itoa(id)
+    writeInfo(id, info)
+}
diff --git a/admin b/admin
new file mode 100755
index 0000000..4d398c1
--- /dev/null
+++ b/admin
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+set -e
+
+script=$(basename "$0")
+
+GREEN='\033[0;32m'
+MAGENTA='\033[0;95m'
+NC='\033[0m'
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+
+help() {
+    echo -e "Usage: ./${script} [options]" \
+         "\n${YELLOW}Options: ${NC}" \
+         "\n\t -h  ${GREEN}Show Help ${NC}" \
+         "\n\t -c  ${MAGENTA}Creates a users table ${NC}" \
+         "\n\t -s  ${MAGENTA}Shows all records in the users table ${NC}" \
+         "\n\t -r  ${RED}Removes users table ${NC}"
+}
+
+remove-db () {
+    rm -f users.sqlite
+}
+
+create-db () {
+    echo '
+    CREATE TABLE users (
+        user_id INTEGER not null,
+        name TEXT NOT NULL
+    );
+    '  | sqlite3 users.sqlite
+}
+
+show-db () {
+    echo '
+    SELECT * FROM users;
+    ' | sqlite3 users.sqlite
+}
+
+if [ $# -eq 0 ]; then
+   help
+   exit 0
+fi
+
+while getopts "h?csr" option; do
+    case "${option}" in
+        h|\?)
+            help
+            exit 0
+            ;;
+        c)  create-db ;;
+        s)  show-db ;;
+        r)  remove-db ;;
+    esac
+done
+
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..a053b00
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+go build -o add-user-go ./add-user.go
+echo "Built ./add-user-go"
+