mirror of
https://github.com/hohn/codeql-dataflow-sql-injection-go.git
synced 2025-12-15 18:03:03 +01:00
52 lines
1.2 KiB
Go
52 lines
1.2 KiB
Go
package main
|
|
|
|
import (
|
|
"bufio"
|
|
"fmt"
|
|
"os"
|
|
"os/exec"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
func writeLogf(format string, args ...any) {
|
|
ts := time.Now().Format("2006-01-02 15:04:05")
|
|
fmt.Fprintf(os.Stderr, "[%s] "+format, append([]any{ts}, args...)...)
|
|
}
|
|
|
|
func getUserInfo() string {
|
|
in := bufio.NewReader(os.Stdin)
|
|
fmt.Print("*** Welcome to sql injection ***\n")
|
|
fmt.Print("Please enter name: ")
|
|
line, _ := in.ReadString('\n')
|
|
return strings.TrimSpace(line)
|
|
}
|
|
|
|
func getNewID() int {
|
|
return os.Getpid()
|
|
}
|
|
|
|
func writeInfo(id int, info string) {
|
|
// UNSAFE: build SQL dynamically from untrusted input
|
|
query := fmt.Sprintf("INSERT INTO users VALUES (%d, '%s')", id, info)
|
|
writeLogf("query: %s\n", query)
|
|
|
|
// Execute via sqlite3 CLI to avoid external Go dependencies
|
|
cmd := exec.Command("sqlite3", "users.sqlite", query)
|
|
cmd.Stdout = os.Stdout
|
|
cmd.Stderr = os.Stderr
|
|
if err := cmd.Run(); err != nil {
|
|
fmt.Fprintf(os.Stderr, "SQL error: %v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
func main() {
|
|
info := getUserInfo()
|
|
id := getNewID()
|
|
// ensure id is used (silence potential warnings)
|
|
_ = strconv.Itoa(id)
|
|
writeInfo(id, info)
|
|
}
|