Move db calls to prepared statements with context

[ankitnayan]

Move all db calls to prepared statements and specifically with context if possible to make signoz more secure from sql injections.
A query should not be a string prepared from fmt.sprintf(...) if it has args to pass. We should try to avoid string formatting for args.

[jshiwam]

Hi @ankitnayan Please assign this issue to me, I will complete the query-service installation today and will start making the changes. Also since we go for the Prepared Statements, here we are only trying to address the insecurities that arise due to malicious SQL data literals.

[jshiwam]

jshiwam@f18be5c

Hi @ankitnayan please check these comments. I have added them for some clarifications, as my understanding of the whole flow of the project might not be good enough. Please reply on those comments and point out if I have identified all the statments that need to be chagned.
Thanks.

[ankitnayan]

@jshiwam I think you are going to the right direction. One suggestion is to apply changes to only a few APIs or maybe 1 single API to start with and get it merged and then keep on adding small PRs for a small set of each APIs.

@srikanthccv please have a look and guide if needed

[jshiwam]

Sure Actually I have made change to one of the functions and it is working, the testing is also complete. I will remove the comments from those files and only keep that single change and make the first PR.

[srikanthccv]

Not fully addressed

[jshiwam]

Thanks @srikanthccv will add the changes here.

[jshiwam]

@srikanthccv @ankitnayan GetService queries clickhouse and we use the clickhouse-driver Conn in order to query the data there. I am not sure if they provide a way to use Prepare Statements. I am new to clickhouse so might be missing something. Please let me know if my observation is correct.