sdk/golang/Databases/GoPgxConn

GoPgxConn

pgx PostgreSQL driver. Connection and Pool types expose Query/Exec/QueryRow that accept raw SQL strings — injection sinks when the SQL is built from user input. pgx is the recommended Postgres driver for new Go projects.

8 sinks

Taint flow0 sources → 8 sinks

Sinks — dangerous call

.Exec()Executes SQL that doesn't return rows

.Query()Executes a query returning rows

.QueryRow()Executes a query returning a single row

.ExecEx()pgx v4 compatibility shim for Exec

.QueryEx()pgx v4 compatibility shim for Query

.QueryRowEx()pgx v4 compatibility shim for QueryRow

.SendBatch()Sends a batch of queries

.Prepare()Creates a prepared statement

Sinks

— dangerous functions taint must not reach

.Exec()Sink

Signature

Exec(ctx context.Context, sql string, args ...any) (CommandTag, error)

Executes SQL that doesn't return rows. Sink when sql is built from user input.

tracks:1

.Query()Sink

Signature

Query(ctx context.Context, sql string, args ...any) (Rows, error)

Executes a query returning rows. SQL injection sink.

tracks:1

.QueryRow()Sink

Signature

QueryRow(ctx context.Context, sql string, args ...any) Row

Executes a query returning a single row. SQL injection sink.

tracks:1

.ExecEx()Sink

Signature

ExecEx(ctx context.Context, sql string, options *QueryExOptions, args ...any) (CommandTag, error)

pgx v4 compatibility shim for Exec. Same injection risk.

tracks:1

.QueryEx()Sink

Signature

QueryEx(ctx context.Context, sql string, options *QueryExOptions, args ...any) (*Rows, error)

pgx v4 compatibility shim for Query. Same injection risk.

tracks:1

.QueryRowEx()Sink

Signature

QueryRowEx(ctx context.Context, sql string, options *QueryExOptions, args ...any) *Row

pgx v4 compatibility shim for QueryRow. Same injection risk.

tracks:1

.SendBatch()Sink

Signature

SendBatch(ctx context.Context, b *Batch) BatchResults

Sends a batch of queries. Each query in the batch can be an injection sink.

tracks:1

.Prepare()Sink

Signature

Prepare(ctx context.Context, name, sql string) (*StatementDescription, error)

Creates a prepared statement. Sink when sql is user-controlled.

tracks:2

Fully-Qualified Names

FQN	Field
github.com/jackc/pgx/v5.Conn	fqns[0]
github.com/jackc/pgx/v5/pgxpool.Pool	fqns[1]
*.Conn	patterns
*.Pool	patterns

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

go.mod

require github.com/jackc/pgx/v5 v5.5.5

rule.py

from codepathfinder.go_rule import GoPgxConn

Rules Using This Class

GO-SQLI-002

← PreviousGoMongoCollection

Next →GoRedisClient