public inbox for [email protected]
help / color / mirror / Atom feedFrom: Glen K <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
Date: Sat, 7 Jun 2025 21:18:01 +0000
Message-ID: <BN0P223MB01527999F0D58FEB13757986A869A@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <[email protected]>
References: <BN0P223MB0152E29A351757553BB74C19A86CA@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
<[email protected]>
> I don't believe that this would move the needle on SQL-injection
safety by enough to be worth doing. An injection attack is normally
trying to break out of a quoted string, not a comment.
Yes, SQL injections frequently involve escaping quoted strings, but if you do a search for SQL injection examples, you will find that most of them (I would say 90% or more) also use comments to remove the remainder of the SQL statement from consideration. Here is one example where an attacker specifies "admin'--;" as the username:
SELECT * FROM members WHERE username = 'admin'--;' AND password = 'password';
The comment in this example removes the password from inclusion in the statement, allowing the attacker to login as admin without a password.
If 90% of injection attacks make use of comments (together with quoted string escapes), it seems to me that a connection configuration option to disable comments would "move the needle" substantially.
With comments disabled, attackers would have to craft their attacks to account for the SQL following the escaped string. While significantly more difficult, it's not impossible, but would likely involve adding a semi-colon to terminate the statement with the attack and follow it with additional SQL to render the remainder of the original statement into a benign second statement. And this is why I've also suggested being able to configure a connection to disallow multiple statements.
Together, being able to disable comments and restrict executions to single statements would make it significantly more difficult for attackers to conduct injection attacks on APIs that use a connection configured this way.
-Glen
________________________________
From: Tom Lane <[email protected]>
Sent: Wednesday, June 4, 2025 4:05:56 p.m.
To: Glen K <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
Glen K <[email protected]> writes:
> My feature requests are thus:
> Provide a client connection option (and/or implement the backend support) to disallow comments in SQL statements
I don't believe that this would move the needle on SQL-injection
safety by enough to be worth doing. An injection attack is normally
trying to break out of a quoted string, not a comment.
> Provide a client connection option (and/or implement the backend support) to allow only one statement in an execute request
This exists already; you just have to use the extended query protocol.
> Provide an option in the client execute functions (and/or implement
> the backend support) to specify the expected number of statements.
I don't see the need for this given #2.
regards, tom lane
view thread (9+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
In-Reply-To: <BN0P223MB01527999F0D58FEB13757986A869A@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox