A partial answer is banning reflect in a callstack, but that's
heavy-handed. I could traverse up to a "safesql.ReflectOk on the stack
On Wednesday, February 7, 2018 at 2:54:13 PM UTC-8, Andy Jackson wrote:
>
> I realize that private functions of another package are not reachable by
> reflection, but I'm looking for a way to ensure a public
> interface-or-struct's function can be fully back-traced statically.
>
> An interface function like
> Query(sql string, args ...interface{}) Result
> is an SQL injection risk if it can be called via reflection. This includes
> the sqlx library simply being part of a program.
>
> My goal: to enhance SafeSQL to fully backtrace and know certainly that
> there are no SQL injection risks.
>
> Alternative: I can add a comment to the functions I write:
> // Reflection Calls Disallowed
>
> But compiler assurance of this would be nice.
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
