SQL injection in payments handler

Description

User-controlled input is concatenated directly into a SQL query, allowing an attacker to read or modify arbitrary rows in the payments database.

query := "SELECT * FROM payments WHERE user_id = '" + userID + "'"
rows, _ := db.Query(query)

Root cause. User-controlled `userID` is concatenated directly into the SQL string, allowing an attacker to alter the query and read or modify arbitrary rows.

Recommended fix. Replace string concatenation with a parameterised query so the driver binds `userID` as a value, not as SQL. This neutralises injection while keeping behaviour identical.

Details

Severity

critical

CVSS

9.8

CVE

CVE-2024-31337

CWE

CWE-89

File

services/payments/handler.go

Status

open

Remediation