Fix SQL Injection (Legacy & Modern) in Echo

SQL Injection in Go's Echo framework isn't an Echo bug; it's a developer failure to use the database/sql driver correctly. Whether you're using raw SQL or an ORM like GORM, the vulnerability emerges the moment you use string formatting (fmt.Sprintf) to build a query instead of parameterized placeholders. In a modern stack, this is the fastest way to leak your entire DB schema.

The Vulnerable Pattern

func GetUser(c echo.Context) error {
  userID := c.QueryParam("id")
  // VULNERABLE: Direct string concatenation allows an attacker to terminate the query and inject commands
  query := fmt.Sprintf("SELECT username, email FROM users WHERE id = %s", userID)
rows, _ := db.Query(query)
return c.JSON(http.StatusOK, rows)
}

The Secure Implementation

The fix involves utilizing Prepared Statements. When you pass arguments to db.Query() or db.Exec(), the SQL driver sends the query template and the data to the database in separate packets. This prevents the database engine from interpreting user-supplied data as SQL commands. For legacy code, audit all fmt.Sprintf and '+' operators used in DB calls. For modern Echo apps using GORM, ensure you never pass raw strings into .Where() or .Raw() that contain unvalidated user input.

func GetUser(c echo.Context) error {
  userID := c.QueryParam("id")
  // SECURE: Use positional placeholders (? for MySQL/SQLite, $1 for Postgres)
  // The database driver handles escaping and ensures the input is treated as a literal value
  rows, err := db.Query("SELECT username, email FROM users WHERE id = ?", userID)
  if err != nil {
    return echo.NewHTTPError(http.StatusInternalServerError, "Internal Server Error")
  }
  defer rows.Close()
// Modern ORM (GORM) approach:
// db.Where(“id = ?”, userID).First(&user)
return c.JSON(http.StatusOK, “Success”)
}