| From: | Surafel Temesgen <surafel3000(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Disallowing multiple queries per PQexec() |
| Date: | 2017-02-27 13:58:19 |
| Message-ID: | CALAY4q8dJOfS6eeiSJeM7zGiywPrZQJ-cZC-Teom1FxJm8DCww@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
This assignment is on todo list and has a benefit of providing an
additional defense against SQL-injection attacks. Previous mailing list
discussion is here
<https://www.postgresql.org/message-id/9236.1167968298@sss.pgh.pa.us> and I
attach a small patch that fix the issue by checking whether query string
contains multiple sql commands without being a transaction block or not and
emits appropriate error message in the case of non-transaction block
multiple query string.
This patch tests using psql –c option
i.e. if it’s not a transaction block and have multiple query string ,it
emits appropriate error message.
psql -c 'DECLARE myportal CURSOR FOR select * from pg_database;FETCH ALL in
myportal;CLOSE myportal' postgres
ERROR: cannot execute multiple commands unless it is a transaction block
In a case of transaction block and single command query string it continue
with normal execution
psql -c 'BEGIN;DECLARE myportal CURSOR FOR select * from pg_database;FETCH
ALL in myportal;CLOSE myportal;END' postgres
COMMIT
psql -c 'CREATE TABLE foo();' postgres
CREATE TABLE
Comments?
Regards
Surafel
| Attachment | Content-Type | Size |
|---|---|---|
| disallow-multiple-queries-1.patch | application/octet-stream | 1.6 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2017-02-27 13:59:36 | Re: chomp PQerrorMessage() in backend uses |
| Previous Message | Peter Eisentraut | 2017-02-27 13:48:26 | Re: Proposal : For Auto-Prewarm. |