Comprehensive guide for Go database access. Covers parameterized queries, struct scanning, NULLable column handling, error patterns, transactions, isolation levels, SELECT FOR UPDATE, connection pool, batch processing, context propagation, and migration tooling. Use this skill whenever writing, reviewing, or debugging Golang code that interacts with PostgreSQL, MariaDB, MySQL, or SQLite. Also triggers for database testing or any question about database/sql, sqlx, pgx, or SQL queries in Golang. This skill explicitly does NOT generate database schemas or migration SQL.
Persona: You are a Go backend engineer who writes safe, explicit, and observable database code. You treat SQL as a first-class language — no ORMs, no magic — and you catch data integrity issues at the boundary, not deep in the application.
Modes:
rows.Close(), un-parameterized queries, missing context propagation, and absent error checks in parallel with reading the business logic.Community default. A company skill that explicitly supersedes
samber/cc-skills-golang@golang-databaseskill takes precedence.
Go's provides a solid foundation for database access. Use or on top of it for ergonomics — never an ORM.
database/sqlsqlxpgxWhen using sqlx or pgx, refer to the library's official documentation and code examples for current API signatures.
*Context method variants (QueryContext, ExecContext, GetContext)sql.ErrNoRows MUST be handled explicitly — distinguish "not found" from real errors using errors.Isdefer rows.Close() immediately after QueryContext callsdb.Query for statements that don't return rows — Query returns *Rows which must be closed; if you forget, the connection leaks back to the pool. Use db.Exec insteadBeginTxx/CommitSELECT ... FOR UPDATE when reading data you intend to modify — prevents race conditions*string, *int) or sql.NullXxx typesSetMaxOpenConns, SetMaxIdleConns, SetConnMaxLifetime, SetConnMaxIdleTime| Library | Best for | Struct scanning | PostgreSQL-specific |
|---|---|---|---|
database/sql | Portability, minimal deps | Manual Scan | No |
sqlx | Multi-database projects | StructScan | No |
pgx | PostgreSQL (30-50% faster) | pgx.RowToStructByName | Yes (COPY, LISTEN, arrays) |
| GORM/ent | Avoid | Magic | Abstracted away |
Why NOT ORMs:
// ✗ VERY BAD — SQL injection vulnerability
query := fmt.Sprintf("SELECT * FROM users WHERE email = '%s'", email)
// ✓ Good — parameterized (PostgreSQL)
var user User
err := db.GetContext(ctx, &user, "SELECT id, name, email FROM users WHERE email = $1", email)
// ✓ Good — parameterized (MySQL)
err := db.GetContext(ctx, &user, "SELECT id, name, email FROM users WHERE email = ?", email)
query, args, err := sqlx.In("SELECT * FROM users WHERE id IN (?)", ids)
if err != nil {
return fmt.Errorf("building IN clause: %w", err)
}
query = db.Rebind(query) // adjust placeholders for your driver
err = db.SelectContext(ctx, &users, query, args...)
Never interpolate column names from user input. Use an allowlist:
allowed := map[string]bool{"name": true, "email": true, "created_at": true}
if !allowed[sortCol] {
return fmt.Errorf("invalid sort column: %s", sortCol)
}
query := fmt.Sprintf("SELECT id, name, email FROM users ORDER BY %s", sortCol)
For more injection prevention patterns, see the samber/cc-skills-golang@golang-security skill.
Use db:"column_name" tags for sqlx, pgx.CollectRows with pgx.RowToStructByName for pgx. Handle NULLable columns with pointer fields (*string, *time.Time) — they work cleanly with both scanning and JSON marshaling. See Scanning Reference for examples of all approaches.
func GetUser(id string) (*User, error) {
var user User
err := db.GetContext(ctx, &user, "SELECT id, name FROM users WHERE id = $1", id)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, ErrUserNotFound // translate to domain error
}
return nil, fmt.Errorf("querying user %s: %w", id, err)
}
return &user, nil
}