Peter Kovacs <peter.kovacs@siemens.com> writes:
> I think that the simplest thing would be to have an option in the
> backend to disable processing of multiple statements in one query --
> i.e. disallow the use of ';' as a separator of statements.
FWIW, the new "extended query" protocol has exactly such a restriction.
However that hardly excuses any sloppiness in allowing
non-syntax-checked parameter values through. Consider changing
"WHERE x < ?" to
"WHERE x < 42 AND my_function_with_interesting_side_effects()"
No semicolons in sight, but I can still clean out your bank balance ;-)
regards, tom lane
