SQL Injection Poll

Hey everyone, we recently started a poll regarding SQL Injection.
We have a Go App that simply takes in a username and password from the user, which it then runs a query with to attempt authentication.
However, this app is susceptible to SQL Injection.

We handpicked 3 user submissions for a potential patch to this vuln. One of them passed while the other two failed. Which one is your pick for the security fix? Cast your votes below on either LinkedIn or Twitter.

As the description says, just a simple app that accepts username password. if its valid it will sign you in. However the code is vulnerable to SQLInjections

Solution 1 tries wrapping it in a paramterizedQuery form in order to prevent SQL injection.

Solution 2 tries to hardcode in a SQL Query and only takes username and password from the input parameter, the predefined format ought to prevent any attacks.

Solution 3 doesn’t even touch the SQL Query, it scans the user input for any malicious characters like a " ’ ", since usernames shouldn’t have weird symbols. If there are any, it will deny the request, otherwise it will succeed.

One of these passed while the other 2 didn’t, which one do you think is the right patch?
Go and cast your vote! Cast your votes below on either LinkedIn or Twitter.

1 Like