Allow quoted strings to be used to format SQL queries (#240)

* Support stripping vendor paths when matching calls * Factor out matching of formatter string * Quoted strings are safe to use with SQL str formatted strings * Add test for allowing quoted strings with string formatters * Install the pq package for tests to pass
2025-07-07 00:35:35 +02:00 · 2018-09-25 00:40:05 -07:00
parent ec32ce68d8
commit 762ff3a709
14 changed files with 88 additions and 33 deletions
--- a/testutils/source.go
+++ b/testutils/source.go
@ -292,6 +292,27 @@ func main(){
 				panic(err)
 		}
 		defer rows.Close()
+}`, 0}, {`
+// Format string false positive, quoted formatter argument.
+package main
+import (
+	"database/sql"
+	"fmt"
+	"os"
+	"github.com/lib/pq"
+)
+
+func main(){
+	db, err := sql.Open("postgres", "localhost")
+	if err != nil {
+		panic(err)
+	}
+	q := fmt.Sprintf("SELECT * FROM %s where id = 1", pq.QuoteIdentifier(os.Args[1]))
+	rows, err := db.Query(q)
+	if err != nil {
+		panic(err)
+	}
+	defer rows.Close()
 }`, 0}}

 	// SampleCodeG202 - SQL query string building via string concatenation