Fix SQL Injection (Legacy & Modern) in Revel

SQL Injection in Revel applications typically occurs when developers bypass Go's 'database/sql' parameterization in favor of manual string concatenation. In legacy environments, this often manifests via fmt.Sprintf; in modern contexts, it occurs through raw GORM fragments or dynamic table identifiers. To secure these apps, you must enforce a strict separation between the SQL command and the untrusted data.

The Vulnerable Pattern

func (c App) GetProfile(username string) revel.Result {
    // VULNERABLE: Direct string interpolation into raw SQL
    sql := fmt.Sprintf("SELECT * FROM users WHERE username = '%s'", username)
    rows, _ := db.Query(sql)
    // ... process rows
    return c.Render(rows)
}

The Secure Implementation

The vulnerability exists because the SQL engine interprets the user-supplied string as part of the command logic, allowing for 'OR 1=1' style bypasses. The secure implementation uses placeholders (e.g., '?' for MySQL/SQLite, '$1' for PostgreSQL). This forces the database driver to treat the input strictly as data, not executable code. For modern Revel apps using GORM, always use 'db.Where("username = ?", username)' instead of passing formatted strings to the 'Where' clause.

func (c App) GetProfile(username string) revel.Result {
    // SECURE: Parameterized query using the '?' placeholder
    // The database driver handles the sanitization and type-checking
    sql := "SELECT * FROM users WHERE username = ?"
    rows, err := db.Query(sql, username)
    if err != nil {
        return c.RenderError(err)
    }
    defer rows.Close()
    // ... process rows
    return c.Render(rows)
}