Parameterized UUIDs in WHERE Clauses Cause Panic **Severity:** ⚠️ CRITICAL #7
Description
Severity:
Description:
Using parameterized UUID placeholders (?) in WHERE clauses causes runtime panic with "index out of range" error.
Panic Message:
panic: runtime error: index out of range [30] with length 30
github.com/caretdev/go-irisnative/src/list.GetListItem
Symptoms:
- Runtime panic when executing query
- Stack trace points to go-irisnative internal code
- Only affects UUID fields (VARCHAR, INT fields work normally with parameters)
Minimal Reproduction:
func countBrandsByOrg(db *sql.DB, orgID string) (int, error) {
var count int
// This causes panic
query := `SELECT COUNT(*) FROM GPC.Brand WHERE Brand_Org_ID = ?`
err := db.QueryRow(query, orgID).Scan(&count)
// PANIC: runtime error: index out of range [30] with length 30
return count, err
}
// Test case
func main() {
db, _ := sql.Open("iris", "iris://_SYSTEM:password@localhost:1972/USER")
defer db.Close()
orgID := "12CA3331-ABA3-426B-9A4F-E4E8B5CA24F5"
count, _ := countBrandsByOrg(db, orgID) // Panics here
}Workaround:
Embed UUID directly in SQL string using fmt.Sprintf:
func countBrandsByOrg(db *sql.DB, orgID string) (int, error) {
var count int
// Workaround: Embed UUID directly in SQL string
query := fmt.Sprintf(`SELECT COUNT(*) FROM GPC.Brand WHERE Brand_Org_ID = '%s'`, orgID)
err := db.QueryRow(query).Scan(&count) // Works fine
return count, err
}Note: UUIDs are still validated by Chi router parsing and database query execution, so SQL injection risk is minimal in this specific case. However, this workaround is not ideal for general-purpose code.
Impact: High - breaks standard Go database/sql parameterized query patterns, increases SQL injection risk.
Metadata
Metadata
Assignees
Labels
No labels