Represents database/sql.DB and database/sql.Tx from the Go standard library. Query(), Exec(), and Prepare() are SQL injection sinks when the query string is built from user input instead of using ? placeholders.
.Query().QueryRow().Exec().Prepare().Query()SinkQuery(query string, args ...any) (*Rows, error)
Executes parameterized SELECT. Sink when query is built via string concatenation.
0.QueryRow()SinkQueryRow(query string, args ...any) *Row
Executes parameterized SELECT returning one row. Same injection risk.
0.Exec()SinkExec(query string, args ...any) (Result, error)
Executes parameterized DML. Sink when query contains user input.
0.Prepare()SinkPrepare(query string) (*Stmt, error)
Creates prepared statement. Sink when query string is user-controlled.
0| FQN | Field | |
|---|---|---|
| database/sql.DB | fqns[0] | |
| database/sql.Tx | fqns[1] | |
| database/sql.Stmt | fqns[2] | |
| *.DB | patterns | |
| *.Tx | patterns |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
// standard library — no go.mod entry required
from codepathfinder.go_rule import GoSQLDB