| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Glen K <glenk1973(at)hotmail(dot)com> |
| Cc: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Feature request: Settings to disable comments and multiple statements in a connection |
| Date: | 2025-06-04 23:05:52 |
| Message-ID: | 1079732.1749078352@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Glen K <glenk1973(at)hotmail(dot)com> writes:
> My feature requests are thus:
> Provide a client connection option (and/or implement the backend support) to disallow comments in SQL statements
I don't believe that this would move the needle on SQL-injection
safety by enough to be worth doing. An injection attack is normally
trying to break out of a quoted string, not a comment.
> Provide a client connection option (and/or implement the backend support) to allow only one statement in an execute request
This exists already; you just have to use the extended query protocol.
> Provide an option in the client execute functions (and/or implement
> the backend support) to specify the expected number of statements.
I don't see the need for this given #2.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ron Johnson | 2025-06-04 23:17:02 | Re: Yet more ROLE changes in v18 beta1??? |
| Previous Message | Glen K | 2025-06-04 22:41:15 | Feature request: Settings to disable comments and multiple statements in a connection |