Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uMxBG-0085Sk-Kf
	for pgsql-general@arkaria.postgresql.org; Wed, 04 Jun 2025 23:05:58 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uMxBE-000b7y-F5
	for pgsql-general@arkaria.postgresql.org; Wed, 04 Jun 2025 23:05:57 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1uMxBE-000b7p-4V
	for pgsql-general@lists.postgresql.org; Wed, 04 Jun 2025 23:05:56 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1uMxBD-000FUP-0G
	for pgsql-general@lists.postgresql.org;
	Wed, 04 Jun 2025 23:05:55 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 554N5qv51079733;
	Wed, 4 Jun 2025 19:05:52 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Glen K <glenk1973@hotmail.com>
cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
In-reply-to: <BN0P223MB0152E29A351757553BB74C19A86CA@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
References: <BN0P223MB0152E29A351757553BB74C19A86CA@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
Comments: In-reply-to Glen K <glenk1973@hotmail.com>
	message dated "Wed, 04 Jun 2025 22:41:15 -0000"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1079731.1749078352.1@sss.pgh.pa.us>
Content-Transfer-Encoding: quoted-printable
Date: Wed, 04 Jun 2025 19:05:52 -0400
Message-ID: <1079732.1749078352@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/1079732.1749078352%40sss.pgh.pa.us>
Precedence: bulk

Glen K <glenk1973@hotmail.com> writes:
> My feature requests are thus:

> Provide a client connection option (and/or implement the backend support=
) to disallow comments in SQL statements

I don't believe that this would move the needle on SQL-injection
safety by enough to be worth doing.  An injection attack is normally
trying to break out of a quoted string, not a comment.

> Provide a client connection option (and/or implement the backend support=
) to allow only one statement in an execute request

This exists already; you just have to use the extended query protocol.

> Provide an option in the client execute functions (and/or implement
> the backend support) to specify the expected number of statements.

I don't see the need for this given #2.

			regards, tom lane