initial Go version of sql injection demo

2025-12-16 18:23:06 +01:00 · 2025-09-01 22:19:22 -07:00
commit a47c7da446
3 changed files with 114 additions and 0 deletions
--- a/add-user.go
+++ b/add-user.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+    "bufio"
+    "fmt"
+    "os"
+    "os/exec"
+    "strconv"
+    "strings"
+    "time"
+)
+
+func writeLogf(format string, args ...any) {
+    ts := time.Now().Format("2006-01-02 15:04:05")
+    fmt.Fprintf(os.Stderr, "[%s] "+format, append([]any{ts}, args...)...)
+}
+
+func getUserInfo() string {
+    in := bufio.NewReader(os.Stdin)
+    fmt.Print("*** Welcome to sql injection ***\n")
+    fmt.Print("Please enter name: ")
+    line, _ := in.ReadString('\n')
+    return strings.TrimSpace(line)
+}
+
+func getNewID() int {
+    return os.Getpid()
+}
+
+func writeInfo(id int, info string) {
+    // UNSAFE: build SQL dynamically from untrusted input
+    query := fmt.Sprintf("INSERT INTO users VALUES (%d, '%s')", id, info)
+    writeLogf("query: %s\n", query)
+
+    // Execute via sqlite3 CLI to avoid external Go dependencies
+    cmd := exec.Command("sqlite3", "users.sqlite", query)
+    cmd.Stdout = os.Stdout
+    cmd.Stderr = os.Stderr
+    if err := cmd.Run(); err != nil {
+        fmt.Fprintf(os.Stderr, "SQL error: %v\n", err)
+        os.Exit(1)
+    }
+}
+
+func main() {
+    info := getUserInfo()
+    id := getNewID()
+    // ensure id is used (silence potential warnings)
+    _ = strconv.Itoa(id)
+    writeInfo(id, info)
+}