golang-database
samber/cc-skills-golang
Safe, explicit Go database access with parameterized queries, transactions, and connection pooling—no ORMs.
What is golang-database?
Comprehensive guide for writing, reviewing, and debugging Go database code using database/sql, sqlx, or pgx. Covers parameterized queries, struct scanning, NULLable columns, transactions, isolation levels, SELECT FOR UPDATE, connection pooling, batch processing, context propagation, and migration tooling for PostgreSQL, MariaDB, MySQL, and SQLite.
- Generate safe repository functions and query helpers with parameterized placeholders
- Audit existing database code for missing rows.Close(), un-parameterized queries, and missing context propagation
- Provide struct scanning patterns with db tags and NULLable column handling using pointers or sql.NullXxx types
- Guide transaction usage, isolation levels, and SELECT FOR UPDATE for data integrity
- Configure connection pools with SetMaxOpenConns, SetMaxIdleConns, SetConnMaxLifetime, and SetConnMaxIdleTime
- Recommend external migration tools (golang-migrate, Flyway) and explain why hand-rolled migrations are unsafe
How to install golang-database
npx skills add https://github.com/samber/cc-skills-golang --skill golang-database- Go toolchain installed
- Familiarity with SQL basics
- An existing Go project or codebase to review/extend
How to use golang-database
- 1.Identify the database library your project uses (database/sql, sqlx, or pgx) and review the corresponding best practices section
- 2.For new code: use the skill to generate parameterized queries with context propagation and proper error handling
- 3.For existing code: ask the skill to audit for missing rows.Close(), un-parameterized queries, and missing context propagation
- 4.Apply struct scanning patterns with db tags for NULLable columns using pointers or sql.NullXxx types
- 5.Configure connection pools using SetMaxOpenConns, SetMaxIdleConns, SetConnMaxLifetime, and SetConnMaxIdleTime
- 6.Use external tools (golang-migrate, Flyway) for schema migrations; never ask the skill to generate migration SQL
Use cases
- Writing new repository functions that query PostgreSQL, MySQL, MariaDB, or SQLite safely
- Reviewing database code for SQL injection vulnerabilities and connection leaks
- Debugging N+1 query problems and transaction deadlocks in existing codebases
- Handling NULLable columns and error cases like sql.ErrNoRows in production code
- Configuring connection pools and batch operations for high-throughput applications
- Go backend engineers writing database-backed services
- Code reviewers auditing SQL safety and connection management
- Developers migrating from ORMs to explicit SQL
- Teams standardizing on database/sql, sqlx, or pgx
golang-database FAQ
No. ORMs hide SQL, generate unpredictable queries, create N+1 problems you cannot see in code, and add magic hooks that make debugging harder. Use database/sql, sqlx, or pgx instead and write explicit SQL.
Use pointer fields (*string, *int, *time.Time) or sql.NullXxx types with db tags. Pointers work cleanly with both scanning and JSON marshaling. See the Scanning Reference for detailed examples.
Query returns *Rows which must be closed (use defer rows.Close()). If you forget, the connection leaks back to the pool. Use Exec for statements that don't return rows (INSERT, UPDATE, DELETE).
Always use parameterized placeholders ($1, $2 for PostgreSQL; ? for MySQL). Never concatenate user input into SQL strings. For dynamic IN clauses, use sqlx.In(). For column names, use an allowlist and validate before interpolating.
Use transactions for multi-statement operations that must succeed or fail together. Use BeginTxx to start, Commit to finish, and Rollback on error. Use SELECT FOR UPDATE to prevent race conditions when reading data you intend to modify.
Full instructions (SKILL.md)
Source of truth, from samber/cc-skills-golang.
name: golang-database description: "Comprehensive guide for Go database access — parameterized queries, struct scanning, NULLable columns, transactions, isolation levels, SELECT FOR UPDATE, connection pool, batch processing, context propagation, and migration tooling. Use when writing, reviewing, or debugging Golang code that interacts with PostgreSQL, MariaDB, MySQL, or SQLite; for database testing; or for questions about database/sql, sqlx, or pgx. Does NOT generate database schemas or migration SQL." user-invocable: true license: MIT compatibility: Designed for Claude Code or similar AI coding agents, and for projects using Golang. metadata: author: samber version: "1.2.1" openclaw: emoji: "🗄" homepage: https://github.com/samber/cc-skills-golang requires: bins: - go install: [] allowed-tools: Read Edit Write Glob Grep Bash(go:) Bash(golangci-lint:) Bash(git:*) Agent AskUserQuestion
Persona: You are a Go backend engineer who writes safe, explicit, and observable database code. You treat SQL as a first-class language — no ORMs, no magic — and you catch data integrity issues at the boundary, not deep in the application.
Modes:
- Write mode — generating new repository functions, query helpers, or transaction wrappers: follow the skill's sequential instructions; launch a background agent to grep for existing query patterns and naming conventions in the codebase before generating new code.
- Review/debug mode — auditing or debugging existing database code: use a sub-agent to scan for missing
rows.Close(), un-parameterized queries, missing context propagation, and absent error checks in parallel with reading the business logic.
Community default. A company skill that explicitly supersedes
samber/cc-skills-golang@golang-databaseskill takes precedence.
Go Database Best Practices
Go's database/sql provides a solid foundation for database access. Use sqlx or pgx on top of it for ergonomics — never an ORM.
When using sqlx or pgx, refer to the library's official documentation and code examples for current API signatures.
Best Practices Summary
- Use sqlx or pgx, not ORMs — ORMs hide SQL, generate unpredictable queries, and make debugging harder
- Queries MUST use parameterized placeholders — NEVER concatenate user input into SQL strings
- Context MUST be passed to all database operations — use
*Contextmethod variants (QueryContext,ExecContext,GetContext) sql.ErrNoRowsMUST be handled explicitly — distinguish "not found" from real errors usingerrors.Is- Rows MUST be closed after iteration —
defer rows.Close()immediately afterQueryContextcalls - NEVER use
db.Queryfor statements that don't return rows —Queryreturns*Rowswhich must be closed; if you forget, the connection leaks back to the pool. Usedb.Execinstead - Use transactions for multi-statement operations — wrap related writes in
BeginTxx/Commit - Use
SELECT ... FOR UPDATEwhen reading data you intend to modify — prevents race conditions - Set custom isolation levels when default READ COMMITTED is insufficient (e.g., serializable for financial operations)
- Handle NULLable columns with pointer fields (
*string,*int) orsql.NullXxxtypes - Connection pool MUST be configured —
SetMaxOpenConns,SetMaxIdleConns,SetConnMaxLifetime,SetConnMaxIdleTime - Use external tools for migrations — golang-migrate or Flyway, never hand-rolled or AI-generated migration SQL
- Batch operations in reasonable sizes — not row-by-row (too many round trips), not millions at once (locks and memory)
- Never create or modify database schemas — a schema that looks correct on toy data can create hotspots, lock contention, or missing indexes under real production load. Schema design requires understanding of data volumes, access patterns, and production constraints that AI does not have
- Avoid hidden SQL features — do not rely on triggers, views, materialized views, stored procedures, or row-level security in application code
Library Choice
| Library | Best for | Struct scanning | PostgreSQL-specific |
|---|---|---|---|
database/sql | Portability, minimal deps | Manual Scan | No |
sqlx | Multi-database projects | StructScan | No |
pgx | PostgreSQL (30-50% faster) | pgx.RowToStructByName | Yes (COPY, LISTEN, arrays) |
| GORM/ent | Avoid | Magic | Abstracted away |
Why NOT ORMs:
- Unpredictable query generation — N+1 problems you cannot see in code
- Magic hooks and callbacks (BeforeCreate, AfterUpdate) make debugging harder
- Schema migrations coupled to application code
- Learning the ORM API is harder than learning SQL, and the abstraction leaks
Parameterized Queries
// ✗ VERY BAD — SQL injection vulnerability
query := fmt.Sprintf("SELECT * FROM users WHERE email = '%s'", email)
// ✓ Good — parameterized (PostgreSQL)
var user User
err := db.GetContext(ctx, &user, "SELECT id, name, email FROM users WHERE email = $1", email)
// ✓ Good — parameterized (MySQL)
err := db.GetContext(ctx, &user, "SELECT id, name, email FROM users WHERE email = ?", email)
Dynamic IN clauses
query, args, err := sqlx.In("SELECT * FROM users WHERE id IN (?)", ids)
if err != nil {
return fmt.Errorf("building IN clause: %w", err)
}
query = db.Rebind(query) // adjust placeholders for your driver
err = db.SelectContext(ctx, &users, query, args...)
Dynamic column names
Never interpolate column names from user input. Use an allowlist:
allowed := map[string]bool{"name": true, "email": true, "created_at": true}
if !allowed[sortCol] {
return fmt.Errorf("invalid sort column: %s", sortCol)
}
query := fmt.Sprintf("SELECT id, name, email FROM users ORDER BY %s", sortCol)
For more injection prevention patterns, see the samber/cc-skills-golang@golang-security skill.
Struct Scanning and NULLable Columns
Use db:"column_name" tags for sqlx, pgx.CollectRows with pgx.RowToStructByName for pgx. Handle NULLable columns with pointer fields (*string, *time.Time) — they work cleanly with both scanning and JSON marshaling. See Scanning Reference for examples of all approaches.
Error Handling
func GetUser(id string) (*User, error) {
var user User
err := db.GetContext(ctx, &user, "SELECT id, name FROM users WHERE id = $1", id)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, ErrUserNotFound // translate to domain error
}
return nil, fmt.Errorf("querying user %s: %w", id, err)
}
return &user, nil
}
or:
func GetUser(id string) (u *User, exists bool, err error) {
var user User
err := db.GetContext(ctx, &user, "SELECT id, name FROM users WHERE id = $1", id)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, false, nil // "no user" is not a technical error, but a domain error
}
return nil, false, fmt.Errorf("querying user %s: %w", id, err)
}
return &user, true, nil
}
Always close rows
rows, err := db.QueryContext(ctx, "SELECT id, name FROM users")
if err != nil {
return fmt.Errorf("querying users: %w", err)
}
defer rows.Close() // prevents connection leaks
for rows.Next() {
// ...
}
if err := rows.Err(); err != nil { // always check after iteration
return fmt.Errorf("iterating users: %w", err)
}
Common database error patterns
| Error | How to detect | Action |
|---|---|---|
| Row not found | errors.Is(err, sql.ErrNoRows) | Return domain error |
| Unique constraint | Check driver-specific error code | Return conflict error |
| Connection refused | err != nil on db.PingContext | Fail fast, log, retry with backoff |
| Serialization failure | PostgreSQL error code 40001 | Retry the entire transaction |
| Context canceled | errors.Is(err, context.Canceled) | Stop processing, propagate |
Context Propagation
Always use the *Context method variants to propagate deadlines and cancellation:
// ✗ Bad — no context, query runs until completion even if client disconnects
db.Query("SELECT ...")
// ✓ Good — respects context cancellation and timeouts
db.QueryContext(ctx, "SELECT ...")
For context patterns in depth, see the samber/cc-skills-golang@golang-context skill.
Transactions, Isolation Levels, and Locking
For transaction patterns, isolation levels, SELECT FOR UPDATE, and locking variants, see Transactions.
Connection Pool
db.SetMaxOpenConns(25) // limit total connections
db.SetMaxIdleConns(10) // keep warm connections ready
db.SetConnMaxLifetime(5 * time.Minute) // recycle stale connections
db.SetConnMaxIdleTime(1 * time.Minute) // close idle connections faster
For sizing guidance and formulas, see Database Performance.
Migrations
Use an external migration tool. Schema changes require human review with understanding of data volumes, existing indexes, foreign keys, and production constraints.
Recommended tools:
- golang-migrate — CLI + Go library, supports all major databases
- Flyway — JVM-based, widely used in enterprise environments
- Atlas — modern, declarative schema management
Migration SQL should be written and reviewed by humans, versioned in source control, and applied through CI/CD pipelines.
Avoid Hidden SQL Features
Do not rely on triggers, views, materialized views, stored procedures, or row-level security in application code — they create invisible side effects and make debugging impossible. Keep SQL explicit and visible in Go where it can be tested and version-controlled.
Schema Creation
This skill does NOT cover schema creation. AI-generated schemas are often subtly wrong — missing indexes, incorrect column types, bad normalization, or missing constraints. Schema design requires understanding data volumes, access patterns, query profiles, and business constraints. Use dedicated database tooling and human review.
Deep Dives
- Transactions — Transaction boundaries, isolation levels, deadlock prevention,
SELECT FOR UPDATE - Testing Database Code — Mock connections, integration tests with containers, fixtures, schema setup/teardown
- Database Performance — Connection pool sizing, batch processing, indexing strategy, query optimization
- Struct Scanning — Struct tags, NULLable column handling, JSON marshaling patterns
Cross-References
- → See
samber/cc-skills-golang@golang-securityskill for SQL injection prevention patterns - → See
samber/cc-skills-golang@golang-contextskill for context propagation to database operations - → See
samber/cc-skills-golang@golang-error-handlingskill for database error wrapping patterns - → See
samber/cc-skills-golang@golang-testingskill for database integration test patterns
References
Related skills
More from samber/cc-skills-golang and the wider catalog.
golang-code-style
Go code style conventions for clarity, control flow, and readability—line breaking, variable declarations, and when comments help.
golang-error-handling
Idiomatic Go error handling: wrapping, inspection, structured logging, and production-grade error tracking.
golang-performance
Go performance optimization patterns: identify bottlenecks with profiling, then apply the right fix.
golang-design-patterns
Idiomatic Go design patterns: functional options, constructors, error handling, resource lifecycle, graceful shutdown, and resilience.
golang-testing
Production-ready Go tests with table-driven patterns, testify integration, parallel execution, fuzzing, and leak detection.
golang-security
Security best practices and vulnerability prevention for Go code—injection, crypto, secrets, and authentication.