SQL query built with fmt.Sprintf
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A database/sql Query/Exec call is given the result of fmt.Sprintf whose format string contains a SQL keyword, instead of a placeholder with a bound argument, so a value formatted into the string becomes part of the SQL text.
Why it matters
Building SQL with fmt.Sprintf and handing the result straight to Query or Exec puts whatever was formatted into the string directly into the SQL text. If any of those values ever comes from a request, a header, or another service, an attacker can change the meaning of the query: read other rows, bypass a WHERE clause, or in the worst case modify or delete data. Go's database/sql already supports placeholders, so there is rarely a reason to build SQL this way.
How to fix it
Replace the Sprintf-built string with a parameterized query: use $1, $2 (Postgres) or ? (MySQL/SQLite) placeholders in the query text and pass the dynamic values as separate arguments to Query/Exec. If part of the query must be dynamic (a table or column name), validate it against a fixed allow-list instead of formatting it into the string.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo