Thread: Feature request: Settings to disable comments and multiple statements in a connection
Feature request: Settings to disable comments and multiple statements in a connection
From
Glen K
Date:
Given that most SQL injections involve use of comments and/or insertion of semi-colons to start a new statement, it seems to me that injection attacks could be substantially reduced if client connections could be configured to disallow comments in SQL and to only allow one statement to be executed per request. In my experience developing backends for APIs, I have never come across a case where comments were needed or desired within SQL statements generated for API requests, and I'm not aware of any use cases where it was essential to send two statements in the same execute request (but perhaps there are).
My feature requests are thus:
- Provide a client connection option (and/or implement the backend support) to disallow comments in SQL statements
- Provide a client connection option (and/or implement the backend support) to allow only one statement in an execute request
- Provide an option in the client execute functions (and/or implement the backend support) to specify the expected number of statements. This would override the client connection option and would inhibit attackers from injecting additional statements
Such features would not be an alternative to using parameterized queries, sanitized user input or any other injection mitigation measures, but would provide another layer of security on top of those measures.
-Glen
Re: Feature request: Settings to disable comments and multiple statements in a connection
From
Tom Lane
Date:
Glen K <glenk1973@hotmail.com> writes:
> My feature requests are thus:
> Provide a client connection option (and/or implement the backend support) to disallow comments in SQL statements
I don't believe that this would move the needle on SQL-injection
safety by enough to be worth doing. An injection attack is normally
trying to break out of a quoted string, not a comment.
> Provide a client connection option (and/or implement the backend support) to allow only one statement in an execute
request
This exists already; you just have to use the extended query protocol.
> Provide an option in the client execute functions (and/or implement
> the backend support) to specify the expected number of statements.
I don't see the need for this given #2.
regards, tom lane
Re: Feature request: Settings to disable comments and multiple statements in a connection
From
Francisco Olarte
Date:
On Thu, 5 Jun 2025 at 01:06, Tom Lane <tgl@sss.pgh.pa.us> wrote: > ... An injection attack is normally > trying to break out of a quoted string, not a comment. I think the comments he refers to are more used to do "bobby tables" like stuff, as helpers in correct statement forming, not to inject per se. ( I do not think the feature request is worth doing either, just commenting ). Francisco Olarte.
Re: Feature request: Settings to disable comments and multiple statements in a connection
From
Karsten Hilbert
Date:
Am Wed, Jun 04, 2025 at 10:41:15PM +0000 schrieb Glen K: > In my experience developing backends for APIs, I have > never come across a case where comments were needed or > desired within SQL statements generated for API requests, Being able to garnish with comments the SQL being sent to a backend greatly aids in debugging queries (such as which query originated from which part of remote code [or even when]). Not that it didn't take me quite a few years to chance upon that idea ... Best regards, Karsten -- GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B