Don't pass params to SQL statements using fmt.Sprintf()

dhui · dhui · commit 49afea4d8659 · 2020-01-03T02:59:33.000-08:00
diff --git a/database/firebird/firebird.go b/database/firebird/firebird.go
@@ -138,13 +138,16 @@ func (f *Firebird) SetVersion(version int, dirty bool) error {
 		return nil
 	}
 
+	// TODO: parameterize this SQL statement
+	//       https://firebirdsql.org/refdocs/langrefupd20-execblock.html
+	//       VALUES (?, ?) doesn't work
 	query := fmt.Sprintf(`EXECUTE BLOCK AS BEGIN
 					DELETE FROM "%v";
 					INSERT INTO "%v" (version, dirty) VALUES (%v, %v);
 				END;`,
 		f.config.MigrationsTable, f.config.MigrationsTable, version, btoi(dirty))
 
-	if _, err := f.conn.ExecContext(context.Background(), query, version, btoi(dirty)); err != nil {
+	if _, err := f.conn.ExecContext(context.Background(), query); err != nil {
 		return &database.Error{OrigErr: err, Query: []byte(query)}
 	}
 
diff --git a/database/ql/ql.go b/database/ql/ql.go
@@ -85,7 +85,7 @@ func (m *Ql) ensureVersionTable() (err error) {
 		return err
 	}
 	if _, err := tx.Exec(fmt.Sprintf(`
-	CREATE TABLE IF NOT EXISTS %s (version uint64,dirty bool);
+	CREATE TABLE IF NOT EXISTS %s (version uint64, dirty bool);
 	CREATE UNIQUE INDEX IF NOT EXISTS version_unique ON %s (version);
 `, m.config.MigrationsTable, m.config.MigrationsTable)); err != nil {
 		if err := tx.Rollback(); err != nil {
@@ -211,8 +211,9 @@ func (m *Ql) SetVersion(version int, dirty bool) error {
 	}
 
 	if version >= 0 {
-		query := fmt.Sprintf(`INSERT INTO %s (version, dirty) VALUES (%d, %t)`, m.config.MigrationsTable, version, dirty)
-		if _, err := tx.Exec(query); err != nil {
+		query := fmt.Sprintf(`INSERT INTO %s (version, dirty) VALUES (uint64(?1), ?2)`,
+			m.config.MigrationsTable)
+		if _, err := tx.Exec(query, version, dirty); err != nil {
 			if errRollback := tx.Rollback(); errRollback != nil {
 				err = multierror.Append(err, errRollback)
 			}
diff --git a/database/sqlite3/sqlite3.go b/database/sqlite3/sqlite3.go
@@ -212,8 +212,8 @@ func (m *Sqlite) SetVersion(version int, dirty bool) error {
 	}
 
 	if version >= 0 {
-		query := fmt.Sprintf(`INSERT INTO %s (version, dirty) VALUES (%d, '%t')`, m.config.MigrationsTable, version, dirty)
-		if _, err := tx.Exec(query); err != nil {
+		query := fmt.Sprintf(`INSERT INTO %s (version, dirty) VALUES (?, ?)`, m.config.MigrationsTable)
+		if _, err := tx.Exec(query, version, dirty); err != nil {
 			if errRollback := tx.Rollback(); errRollback != nil {
 				err = multierror.Append(err, errRollback)
 			}

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ func (m *Ql) ensureVersionTable() (err error) {`
`85`	`85`	`return err`
`86`	`86`	`}`
`87`	`87`	if _, err := tx.Exec(fmt.Sprintf(`
`88`		`- CREATE TABLE IF NOT EXISTS %s (version uint64,dirty bool);`
	`88`	`+ CREATE TABLE IF NOT EXISTS %s (version uint64, dirty bool);`
`89`	`89`	`CREATE UNIQUE INDEX IF NOT EXISTS version_unique ON %s (version);`
`90`	`90`	`, m.config.MigrationsTable, m.config.MigrationsTable)); err != nil {
`91`	`91`	`if err := tx.Rollback(); err != nil {`
`@@ -211,8 +211,9 @@ func (m *Ql) SetVersion(version int, dirty bool) error {`
`211`	`211`	`}`
`212`	`212`
`213`	`213`	`if version >= 0 {`
`214`		- query := fmt.Sprintf(`INSERT INTO %s (version, dirty) VALUES (%d, %t)`, m.config.MigrationsTable, version, dirty)
`215`		`- if _, err := tx.Exec(query); err != nil {`
	`214`	+ query := fmt.Sprintf(`INSERT INTO %s (version, dirty) VALUES (uint64(?1), ?2)`,
	`215`	`+ m.config.MigrationsTable)`
	`216`	`+ if _, err := tx.Exec(query, version, dirty); err != nil {`
`216`	`217`	`if errRollback := tx.Rollback(); errRollback != nil {`
`217`	`218`	`err = multierror.Append(err, errRollback)`
`218`	`219`	`}`
Original file line number	Diff line number	Diff line change
`@@ -212,8 +212,8 @@ func (m *Sqlite) SetVersion(version int, dirty bool) error {`
`212`	`212`	`}`
`213`	`213`
`214`	`214`	`if version >= 0 {`
`215`		- query := fmt.Sprintf(`INSERT INTO %s (version, dirty) VALUES (%d, '%t')`, m.config.MigrationsTable, version, dirty)
`216`		`- if _, err := tx.Exec(query); err != nil {`
	`215`	+ query := fmt.Sprintf(`INSERT INTO %s (version, dirty) VALUES (?, ?)`, m.config.MigrationsTable)
	`216`	`+ if _, err := tx.Exec(query, version, dirty); err != nil {`
`217`	`217`	`if errRollback := tx.Rollback(); errRollback != nil {`
`218`	`218`	`err = multierror.Append(err, errRollback)`
`219`	`219`	`}`