Hone logo
Hone
Problems

Secure Data Insertion with Prepared Statements in Go

Databases are fundamental to most applications, and securely interacting with them is paramount. A common vulnerability is SQL injection, where malicious users can manipulate SQL queries. Prepared statements are a robust defense against this by separating the SQL query structure from the data, ensuring that input is treated as data and not executable code. This challenge focuses on implementing prepared statements in Go to securely insert data into a simulated database.

Problem Description

Your task is to write a Go program that securely inserts user data into a simulated database table named users. You will use prepared statements to prevent SQL injection. The program should:

  1. Initialize a simulated database: For this challenge, we'll simulate a database using an in-memory slice of maps, where each map represents a user.
  2. Define a user struct: Create a User struct to hold user information (e.g., ID, Username, Email).
  3. Implement an insertion function: This function will accept a User object and use a prepared statement to insert it into the simulated database.
  4. Handle potential errors: Ensure that any database operations are properly checked for errors.

Key Requirements:

  • Use database/sql package and a suitable driver (you can mock one or use a simple in-memory implementation for this exercise).
  • The insertion function must utilize db.Prepare() and stmt.Exec() to construct and execute the INSERT query.
  • The input data for the insertion must be passed as arguments to stmt.Exec(), not concatenated into the SQL string.
  • The simulated database should be capable of storing multiple user records.

Expected Behavior:

When the InsertUser function is called with valid User data, the user should be added to the simulated database. If an error occurs during preparation or execution, the error should be returned.

Edge Cases to Consider:

  • Inserting duplicate user IDs (though for this simulation, we might assume unique IDs or handle it gracefully).
  • Invalid input types (e.g., attempting to insert a string into a numeric field, if we were using a real DB). For this simulation, we'll assume valid types.

Examples

Example 1:

Input User: User{ID: 1, Username: "alice", Email: "alice@example.com"}

Simulated Database State (before insertion): []

Simulated Database State (after insertion):
[
  {
    "ID": 1,
    "Username": "alice",
    "Email": "alice@example.com"
  }
]

Explanation: The InsertUser function is called with the details for "alice". A prepared statement is created for the INSERT query. The user's data is then executed with the prepared statement, adding a new record to the database.

Example 2:

Input User 1: User{ID: 2, Username: "bob", Email: "bob@example.com"}
Input User 2: User{ID: 3, Username: "charlie", Email: "charlie@example.com"}

Simulated Database State (after both insertions):
[
  {
    "ID": 2,
    "Username": "bob",
    "Email": "bob@example.com"
  },
  {
    "ID": 3,
    "Username": "charlie",
    "Email": "charlie@example.com"
  }
]

Explanation: Two separate calls to InsertUser are made. Each call uses a prepared statement to securely add a new user to the database, demonstrating that the simulated database can hold multiple records.

Constraints

  • The simulated database will be an in-memory slice of map[string]interface{}.
  • The User struct will have fields: ID (int), Username (string), Email (string).
  • Your insertion function should not directly interpolate string values into the SQL query. Use placeholders.
  • The number of users to be inserted in testing scenarios will not exceed 1000.
  • The maximum length of Username and Email will be 255 characters.

Notes

  • To simulate the database/sql interface without a real database, you can create a mock *sql.DB and mock *sql.Tx or, more simply for this problem, create a custom struct that implements the necessary methods (Prepare, Exec) to interact with your in-memory slice.
  • Consider using driver.Result interface to mimic what Exec returns.
  • Focus on the mechanism of prepared statements and secure data handling rather than complex database transaction management or advanced SQL features.
  • The goal is to demonstrate a secure insertion pattern.
Loading editor...
go