public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Glen K <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
Date: Wed, 04 Jun 2025 19:05:52 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <BN0P223MB0152E29A351757553BB74C19A86CA@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
References: <BN0P223MB0152E29A351757553BB74C19A86CA@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
Glen K <[email protected]> writes:
> My feature requests are thus:
> Provide a client connection option (and/or implement the backend support) to disallow comments in SQL statements
I don't believe that this would move the needle on SQL-injection
safety by enough to be worth doing. An injection attack is normally
trying to break out of a quoted string, not a comment.
> Provide a client connection option (and/or implement the backend support) to allow only one statement in an execute request
This exists already; you just have to use the extended query protocol.
> Provide an option in the client execute functions (and/or implement
> the backend support) to specify the expected number of statements.
I don't see the need for this given #2.
regards, tom lane
view thread (9+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox