Avoid BigQuery SQL Injection in Go With saferbq

You can build dynamic queries in BigQuery using the Go SDK. When building applications that allow users to select tables or datasets dynamically, you need to include those identifiers in your SQL queries. I was surprised to find that the BigQuery manual and code examples do not warn about SQL injection vulnerabilities when doing this. Even more surprising: BigQuery does not provide a built-in mechanism to safely handle user input in table or dataset names. The official SDK supports parameterized queries for data values using @ and ? syntax, but these cannot be used for identifiers that need backtick escaping. You’re forced to use string concatenation, which opens the door to SQL injection. This post explains the problem and introduces a package I wrote to tackle this shortcoming.