Is this vulnerable to SQL Injection?

<p>_, err = db.Exec(&#34;INSERT INTO books(name) VALUES(?)&#34;, university)</p> <p>If so, how can I delete all the information in the books table using a HTML input field?</p> <hr/>**评论：**<br/><br/>barsonme: <pre><p>no, not unless your database doesn&#39;t escape the parameterized queries.</p> <p>Typically SQL injection happens when you try something like this:</p> <p><code>_, err := db.Exec(&#34;INSERT INTO books(name) VALUES(&#34;+university+&#34;)&#34;)</code></p> <p>...or something similar using fmt.Sprintf, a bytes.Buffer, etc.</p></pre>beeks10: <pre><p>I should be safe? I am just worried about SQL injection. All my db.Exec are like the one listed above and none of them are like: _, err := db.Exec(&#34;INSERT INTO books(name) VALUES(&#34;+university+&#34;)&#34;)</p></pre>jussij: <pre><p>The reason it is safe is because you have the ? in the Exec statement.</p> <p>That is a place holder for what is known as a <em>parameterized query</em> and that&#39;s what makes it safe.</p></pre>barsonme: <pre><p>I already answered that question. However, I recommend you read: <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet" rel="nofollow">https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet</a></p></pre>PsyWolf: <pre><p>Yes. You are safe.</p> <p>But don&#39;t just take our word for it. Learn more about SQL injection attacks. They&#39;re interesting and not too complex for any ordinary programmer to understand.</p></pre>pentestrobutiv: <pre><p>Safe</p></pre>mc_hammerd: <pre><p>type in the field <code>1); DELETE FROM books WHERE 1;--</code> ^{^{^dunno}}</p> <p>(this can be protected against by a mysql option 1 cmd per query) </p></pre>beeks10: <pre><p>That didn&#39;t work</p></pre>mc_hammerd: <pre><p>I also tried a subquery... didnt work for me, it looks safe. but try anyways if u want.. </p> <p>a) <code>ISNULL((DELETE FROM books WHERE 1), 1)</code></p> <p>b) <code>(DELETE FROM BOOKS WHERE 1)</code></p></pre>