Query Injection with GoLang SDK

SDK: gopkg.in/auth0.v5
go version go1.16.6 darwin/amd64

I am writing a query like the following to query users from the connection using email.
qs := fmt.Sprintf(identities.connection:"%s" AND email:"%s", u.dbConnection, email)
q := auth0management.Query(qs)
l, err := u.client.User.List(q, auth0management.Context(ctx))

Suppose both “u.dbConnection” and “email” are user provided inputs. Is there any injection possible here? Do the GoLand SDK or API prevent injection? If not, then what should be the way to prevent it? Is there any example of writing the query with Params and pass the param key/value instead of a formatted string?


1 Like