Given that most
SQL injections involve use of comments and/or insertion of semi-colons to start a new statement, it seems to me that injection attacks could be substantially reduced if client connections could be configured to disallow comments in SQL and to only allow one statement to be executed per request. In my experience developing backends for APIs, I have never come across a case where comments were needed or desired within SQL statements generated for API requests, and I'm not aware of any use cases where it was essential to send two statements in the same execute request (but perhaps there are).
My feature requests are thus:
Provide a client connection option (and/or implement the backend support) to disallow comments in SQL statements
Provide a client connection option (and/or implement the backend support) to allow only one statement in an execute request
Provide an option in the client execute functions (and/or implement the backend support) to specify the expected number of statements. This would override the client connection option and would inhibit attackers from injecting additional statements
Such features would not be an alternative to using parameterized queries, sanitized user input or any other injection mitigation measures, but would provide another layer of security on top of those measures.
-Glen
