Will It Vibe logoWill It Vibe?
GO-001Medium severity-8 points

SQL query built with fmt.Sprintf

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A database/sql Query/Exec call is given the result of fmt.Sprintf whose format string contains a SQL keyword, instead of a placeholder with a bound argument, so a value formatted into the string becomes part of the SQL text.

Why it matters

Building SQL with fmt.Sprintf and handing the result straight to Query or Exec puts whatever was formatted into the string directly into the SQL text. If any of those values ever comes from a request, a header, or another service, an attacker can change the meaning of the query: read other rows, bypass a WHERE clause, or in the worst case modify or delete data. Go's database/sql already supports placeholders, so there is rarely a reason to build SQL this way.

How to fix it

Replace the Sprintf-built string with a parameterized query: use $1, $2 (Postgres) or ? (MySQL/SQLite) placeholders in the query text and pass the dynamic values as separate arguments to Query/Exec. If part of the query must be dynamic (a table or column name), validate it against a fixed allow-list instead of formatting it into the string.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks