Parameterized UUIDs in WHERE Clauses Cause Panic **Severity:** ⚠️ CRITICAL

[LukasGPC]

Severity: ⚠️ CRITICAL

Description:
Using parameterized UUID placeholders (?) in WHERE clauses causes runtime panic with "index out of range" error.

Panic Message:

panic: runtime error: index out of range [30] with length 30
github.com/caretdev/go-irisnative/src/list.GetListItem

Symptoms:

• Runtime panic when executing query
• Stack trace points to go-irisnative internal code
• Only affects UUID fields (VARCHAR, INT fields work normally with parameters)

Minimal Reproduction:

func countBrandsByOrg(db *sql.DB, orgID string) (int, error) {
    var count int

    // This causes panic
    query := `SELECT COUNT(*) FROM GPC.Brand WHERE Brand_Org_ID = ?`
    err := db.QueryRow(query, orgID).Scan(&count)
    // PANIC: runtime error: index out of range [30] with length 30

    return count, err
}

// Test case
func main() {
    db, _ := sql.Open("iris", "iris://_SYSTEM:password@localhost:1972/USER")
    defer db.Close()

    orgID := "12CA3331-ABA3-426B-9A4F-E4E8B5CA24F5"
    count, _ := countBrandsByOrg(db, orgID) // Panics here
}

Workaround:
Embed UUID directly in SQL string using fmt.Sprintf:

func countBrandsByOrg(db *sql.DB, orgID string) (int, error) {
    var count int

    // Workaround: Embed UUID directly in SQL string
    query := fmt.Sprintf(`SELECT COUNT(*) FROM GPC.Brand WHERE Brand_Org_ID = '%s'`, orgID)
    err := db.QueryRow(query).Scan(&count) // Works fine

    return count, err
}

Note: UUIDs are still validated by Chi router parsing and database query execution, so SQL injection risk is minimal in this specific case. However, this workaround is not ideal for general-purpose code.

Impact: High - breaks standard Go database/sql parameterized query patterns, increases SQL injection risk.

---