Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uO0vc-00DdxD-1X for pgsql-general@arkaria.postgresql.org; Sat, 07 Jun 2025 21:18:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uO0vY-00F8Js-2a for pgsql-general@arkaria.postgresql.org; Sat, 07 Jun 2025 21:18:08 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uO0vX-00F8Jj-DT for pgsql-general@lists.postgresql.org; Sat, 07 Jun 2025 21:18:08 +0000 Received: from mail-dm6nam11olkn2080b.outbound.protection.outlook.com ([2a01:111:f403:2c15::80b] helo=NAM11-DM6-obe.outbound.protection.outlook.com) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uO0vV-000o7H-2v for pgsql-general@lists.postgresql.org; Sat, 07 Jun 2025 21:18:07 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vxDUkO0AaezN6MFE/dZC9/N13VqG5eTriC3N/iIBx4zsE8V3qkf+0LVo4B+neHhH3xsoEbtN4pgj7DDBuF/pqZ9PgYBprWunHsKR3pLCzXUPh3tPVYDNqHMsSLZPlSiKew27vd3ILhelOIHnfsExz65A034iFn3mSJCJxrBYVIKeRpUkzTqSGPukQS05Oa7HoiCR/labzbQWGo1Xd3kMscU0Agryaz0Xi19GXiO+suwjWRZUUCXG8gsGRfYZ2Ow0xMAat0ffgRn7F69ZOAsFQsSqRgslfkqruYrbIv0QmOL2N8l27a1FMmeE/f9SONhY1qz37KvskYAta55IVDB6BQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jiBM7uaoV54mAt6PajFtch6//w/a/MSIq5x3XZkzbzw=; b=EIA5tUClu5twVKFIfT0MXP7bQYLKpgAubNap6hNp1a3x80AopR4kduGsiY69Cmm00ysHOUfZNc1f8IomVUu7WhZb232CylLRD1dFCR1IasIbbPCrb8iOrPmsbO7tdLxx/gQHphaRWghPfa8RomQR3piQOOrDzvxWegXdPtKsRnjshzElaRcbxAtSIXou6sHms5+PPjrylh1C3FZKIdI3/b0NPpQ96WD/4Ud97LzzrysAagZdRIC5WbN/uhh+yMlMB7a+sfOACT3GBkokY0gISVcxeCUtMkkyuGmGab5ZT28ORcO+gM1d5AqLZaVV5Db+W49XsSR4SOhIBx5+tv+m7Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jiBM7uaoV54mAt6PajFtch6//w/a/MSIq5x3XZkzbzw=; b=j7nwViDlGMykSui3csPWIvz86bhkY1WndTSCTxrL8s3IIHrB36rM0BhqsXeX8lIFY9ABkeQRJunJujGHfjIFlkstJPa8xw/S4TnKmbxCWJustVZ9MPMfody6txFznLGdfmZSur3CMqG5zlktQDkwxNG5QLP/TdqO+GjyzLKcHYGSv0807EdoFS2g5dKcAT+bbkENKQXKupaNkrWstxImodfl/f9vmRmgAY9NKCRYmOmDlcUy1dHaxedWdQfXC8OGj7DKYTvBQwS5XDZMJdTBB3bEEpUPGqYyWMW5YazJlC2LGuccOAI5ougAuFlXnSLw8DfFtc/E3/xOPaYgwMbpnQ== Received: from BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM (2603:10b6:408:147::22) by SJ2P223MB1127.NAMP223.PROD.OUTLOOK.COM (2603:10b6:a03:592::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8813.19; Sat, 7 Jun 2025 21:18:02 +0000 Received: from BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM ([fe80::b511:49cd:3818:efc3]) by BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM ([fe80::b511:49cd:3818:efc3%2]) with mapi id 15.20.8813.018; Sat, 7 Jun 2025 21:18:02 +0000 From: Glen K To: Tom Lane CC: "pgsql-general@lists.postgresql.org" Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection Thread-Topic: Feature request: Settings to disable comments and multiple statements in a connection Thread-Index: AQHb1ZfDO1JlPsq7fkWKpmZ80j278bPzn0AAgASQ0/M= Date: Sat, 7 Jun 2025 21:18:01 +0000 Message-ID: References: <1079732.1749078352@sss.pgh.pa.us> In-Reply-To: <1079732.1749078352@sss.pgh.pa.us> Accept-Language: en-CA, en-US Content-Language: en-CA X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-reactions: allow x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BN0P223MB0152:EE_|SJ2P223MB1127:EE_ x-ms-office365-filtering-correlation-id: a05d5c68-b73a-42ef-26de-08dda608c8c7 x-ms-exchange-slblob-mailprops: gMiuAN0LASLVvYECzkFzNKEzIk6rvieDF43R/Sj4K1/IuXwHGfTyo1Fmt2BQSICb1ZebEAhyaJpsxu53VmPNwUZdUtcfV92C5K2ZCgQZfTGM43E44QKoypORNaqArPj5hVt/XxljNWKAMBNcYKj4Q2hf72Fwu+4MM/N++GkbbcYHg83Ntg/p4EFMl89KNnkglkJUDx9mJ9VwcZy9fgal1uIGwLJHfLSP1e4vzyJmyekwdky/TxEZCPqz1yVVmkhOXBY+FXy9rbcbpPfZMIUFPof1uGv6GUL9713MVvOAWRAymA9SUnQtcUcvzcmOvf3bR79sHMgeI2ADly2O1kl6t8p/sfDafyxwjmoJZwBKO7qQXSdx4eWKUzh5yj5J+4H57DcTGovTyMz+sCPXarVTJ/ZxmTpzec+iZi2z1TEZnQjF2uqz1+Wvh94nCOnVSBr2acH+s5B74ZX0WBvYRsB5wS6e3/blMGKnoX90P5bjvO1bkxZQs3SaXDTioIDbBoeJZHsh2hTmBrgNApNioynk46whxCEuhJNgc4MCuWqfbCZz3TYxOaH8TQRW+/mQ9gzuGSmc6TbEzf6qq5TwDodpM/FqoOeylw7Ozw/s9AC+VdcFH2XZ09/zKW9dwQYxAeZHOaTlvJyqhg7gJs8bG+P90KItoiXMKDaT9z4V4Ok/A3VqL5zZWxL3aw1hl+5Xk88ERYZvUYrdkRK76xLWXf6zEA== x-microsoft-antispam: BCL:0;ARA:14566002|8062599006|15080799009|12121999007|8060799009|7092599006|19110799006|14030799003|461199028|3412199025|440099028|19111999003|30101999003|102099032; x-microsoft-antispam-message-info: =?us-ascii?Q?kZqtD9T5Y2IW/FOX1CUl5z7UWS1QWVMKOKXW+At2f3e8Vn7ofueVl7BTgsjN?= =?us-ascii?Q?AO5lWvXnBalo5Xlk/LyiF4DOug/4xzUT0dpiw0LsVc16pCQlZzUkBnqJl6yN?= =?us-ascii?Q?XriUvfFP0Iqkhwib9r7bRtVaGMUIJdhmLLEvZVOogpf7c5MxE/b6JRJPaId/?= =?us-ascii?Q?9krOiHR3s9Ov8evwjhknoYn47bVnvkQxhrMd5zZQxVxBDVxrDycNma/Pzonc?= =?us-ascii?Q?ovpCWgcfbcEZGdGM9XVtbRFP5GM8yqjAWcDfv/1HFIzBcrpOMNDhEZPc5jTQ?= =?us-ascii?Q?kTiwu4ZXordeVI7okU+MKr/lq8ZtmO5n0D4E46NsOjjbZsUdSmBicDoTKrO4?= =?us-ascii?Q?Rp10XKiNxuk5c+a+AekX3F9qjkqRvbk81Rh1ob859KEtZBilrOe+zGcXI8HU?= =?us-ascii?Q?JQJiEs5jGlBhYvRDB+tali1K0x1lKk28B0XqXtdiGrX3eZ2SyXfmpaciHKev?= =?us-ascii?Q?qBXLlp8Dws1SUFoYADPHmjbRXmzCl0aTdE3byTFV9jsDpi41ZLm/FgNkSQPR?= =?us-ascii?Q?bx9n6aTunUwKoYRWWefXNTfMlTis4icnEtK8EjXnWGyQl1aHXsPHmav+1cvI?= =?us-ascii?Q?dsdJSlASLNsuDuGLpwocOIUZ6Z4gNX22YzNUDTojTzE6ScKIB2344ri4gC5H?= =?us-ascii?Q?D8N1ta9m6x/dcYWtefS+PxbHjWchPHnJBamA+oxoBB6IVUvfviD1ZsN4OQ7t?= =?us-ascii?Q?wBSmOJr5Qd7IxIZ53dwbZ2rBW84bWq/UOv8tuQK8Wvka91pa2xVY6EOUcNY5?= =?us-ascii?Q?vX1cJ88yRjWNK6PHaxR4kL03Svb3iKYn3s30Y5dvGUAnKfptk1e2p/FUI45r?= =?us-ascii?Q?1/XHHZjE5EJ2hIEC6qkL4xcCEIDB84TjuK6tr43vdvXVWflNZyVIqVXEGxfc?= =?us-ascii?Q?W71RgitNCMm87lMz/6kK7Gmi2QbpwFIp7ekIBdYq55gLkNxAS4p24FNjpcJv?= =?us-ascii?Q?XtwMyhw1lzOE570DFaDivic0FApyg04UjQUKTe5NC09tAQcSWnZPFSrF0S6w?= =?us-ascii?Q?cIjjYIMYoDq0KU3ZlfJRDl+pkrHOLduttm7n5F0z0fZhYLR8GPhG+DYYMjpV?= =?us-ascii?Q?DEQ+M3H0Abv0KCSx6GEa7KYF1YG0mX9s+V/Ol3vvQkkFBp1q6Llli6nYdchb?= =?us-ascii?Q?DDepaj4qERs7EO9y9ZO6nMoqCszebAc+cln4b6C/yFwlaIHvqESIm6lof1rH?= =?us-ascii?Q?VRWZ33radyXPfVop9lE1g6vnQWACjlbboi8sLRP9AB5Ft1Gk9Ze/79Ap0is?= =?us-ascii?Q?=3D?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?jP/nneNK5V/Ed82BPIjTigs4h/U0e7FIAYiIU7rXXqF6CiXL7qr4swQNXx9u?= =?us-ascii?Q?JKwmotlie6GWbtqu6xgZQuEVoOVZupQGeiIQg0aeAxHhGZnTh8Mj965NzvVw?= =?us-ascii?Q?IlTlDeUUdjPBMMOPxY2Mmt01REtWjU/07KOJJqK4GKhEMnJRFU6P1EWpRaVt?= =?us-ascii?Q?8QkcsW6uB6Aowf2EWXpWltao+VscaKn9hVDin0UPC49EOGcOW1xMVZ6wCTZn?= =?us-ascii?Q?MhON92Cde3N84GUUgOlI18hhDaSCl2yelkIwIqyod2rC0jmNiPQYc3NwNFPy?= =?us-ascii?Q?1SDdX0zvrqAHFFcetwRXpqqh8lUf53c+VxBob9FpAo7jn8Y7w24Udc2dxvNO?= =?us-ascii?Q?/Sondz/DQt4AbzkOR8FjlsDwF6reRWzn5mQThEZZuz9fjFTrN7IIPm8L35Hu?= =?us-ascii?Q?YApD283POpmjOnWHaJtQv53VxG4EtDiG0W//+7hK52HuJhkXH60DNYP0ssg6?= =?us-ascii?Q?BHz+VfXKC75I49DIfCxqsLp/nR8u2PLvU+5Z+kW2SgvIMlsu1EjZOU8ZcOhq?= =?us-ascii?Q?cbYoda6rRoYytacNNzaS2pUVMA8dC7MUtsiU0rzCWbL4KmF1osonNsRx7Tqn?= =?us-ascii?Q?Z/HWGrhJZ6YJ6wpztMjWQ2KqNw9AMAKESoeZucg5qGgQEtSkjpCAxmYGA84K?= =?us-ascii?Q?oKoSSScUvVkVdybeOIXuxJTYUJadyPGRPZty69BXaU77Ox90ZGGb3C2VDIS3?= =?us-ascii?Q?PZFh9G6fvml07iJuHE1j106eQDkkg3HiPgwNyFBdL4jHUMRooVFzZffxcgGm?= =?us-ascii?Q?NoZ3JCWM+qsPM1vbbgozNnxuVr+1gOrTBNWYmBtnUZsk3pVPqgDE4Hn8DAwH?= =?us-ascii?Q?BbVjd9Yi6Fc17mOAMIbCW81/BjvcHQpHlbz0XukUdOjticnDJxms27LK7ye2?= =?us-ascii?Q?yYQ6EMkO8mECMAnDlTaJ/EpnKWyS3Fvzxfwp8G0l4rusjoiCeYX+boMc6tak?= =?us-ascii?Q?zEza0xYq20wXQBPv7H5IzyV81ATJC/TOJqfDFY707tbnyM/Dn6vS1GrE/h1L?= =?us-ascii?Q?desTI1x8Vfcj9/1tv3iF4eYaL3lwu3b3cwNcVKPY1x/lQ6UR3IZA7lquMAMV?= =?us-ascii?Q?MH+zF+5p5O2t2JmpCTs8qVZfvGCQJ4y89D/bP6b0WUHp9qOTKAwcwHNifCMJ?= =?us-ascii?Q?s7/IcVteYo6pM155dNN4EQ3nR24q7OZA3W4sSKIlyr7qx8P2prJIXFBXR39M?= =?us-ascii?Q?TPQ6RoNWmWK7scUQe1jc0UnTTSnKt91WugzAi8RDCMYZuQoj1CYEXhotPA9/?= =?us-ascii?Q?tyNvO6j4yP0HZ4cowgLp?= Content-Type: multipart/alternative; boundary="_000_BN0P223MB01527999F0D58FEB13757986A869ABN0P223MB0152NAMP_" MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-8534-20-msonline-outlook-c7cf3.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: a05d5c68-b73a-42ef-26de-08dda608c8c7 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jun 2025 21:18:01.4659 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2P223MB1127 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --_000_BN0P223MB01527999F0D58FEB13757986A869ABN0P223MB0152NAMP_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > I don't believe that this would move the needle on SQL-injection safety by enough to be worth doing. An injection attack is normally trying to break out of a quoted string, not a comment. Yes, SQL injections frequently involve escaping quoted strings, but if you = do a search for SQL injection examples, you will find that most of them (I = would say 90% or more) also use comments to remove the remainder of the SQL= statement from consideration. Here is one example where an attacker specif= ies "admin'--;" as the username: SELECT * FROM members WHERE username =3D 'admin'--;' AND password =3D 'pass= word'; The comment in this example removes the password from inclusion in the stat= ement, allowing the attacker to login as admin without a password. If 90% of injection attacks make use of comments (together with quoted stri= ng escapes), it seems to me that a connection configuration option to disab= le comments would "move the needle" substantially. With comments disabled, attackers would have to craft their attacks to acco= unt for the SQL following the escaped string. While significantly more diff= icult, it's not impossible, but would likely involve adding a semi-colon to= terminate the statement with the attack and follow it with additional SQL = to render the remainder of the original statement into a benign second stat= ement. And this is why I've also suggested being able to configure a connec= tion to disallow multiple statements. Together, being able to disable comments and restrict executions to single = statements would make it significantly more difficult for attackers to cond= uct injection attacks on APIs that use a connection configured this way. -Glen ________________________________ From: Tom Lane Sent: Wednesday, June 4, 2025 4:05:56 p.m. To: Glen K Cc: pgsql-general@lists.postgresql.org Subject: Re: Feature request: Settings to disable comments and multiple sta= tements in a connection Glen K writes: > My feature requests are thus: > Provide a client connection option (and/or implement the backend support)= to disallow comments in SQL statements I don't believe that this would move the needle on SQL-injection safety by enough to be worth doing. An injection attack is normally trying to break out of a quoted string, not a comment. > Provide a client connection option (and/or implement the backend support)= to allow only one statement in an execute request This exists already; you just have to use the extended query protocol. > Provide an option in the client execute functions (and/or implement > the backend support) to specify the expected number of statements. I don't see the need for this given #2. regards, tom lane --_000_BN0P223MB01527999F0D58FEB13757986A869ABN0P223MB0152NAMP_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
> I don't believe that = this would move the needle on SQL-injection
safety by enough to b= e worth doing.  An injection attack is normally
trying to break out o= f a quoted string, not a comment.

Yes, SQL injections frequently involve escaping quoted strings, but if you = do a search for SQL injection examples, you will find that most of them (I = would say 90% or more) also use comments to remove the remainder of the SQL= statement from consideration. Here is one example where an attacker specifies "admin'--;" as the us= ername:

SELECT * FROM members WHERE username =3D 'admin'--;' AND password =3D 'pass= word';

The comment in this example removes the password from inclusion in the stat= ement, allowing the attacker to login as admin without a password.

If 90% of injection attacks make use of comments (together with quoted stri= ng escapes), it seems to me that a connection configuration option to disab= le comments would "move the needle" substantially.

With comments disabled, attackers would have to craft their attacks to acco= unt for the SQL following the escaped string. While significantly more diff= icult, it's not impossible, but would likely involve adding a semi-colon to= terminate the statement with the attack and follow it with additional SQL to render the remainder of the or= iginal statement into a benign second statement. And this is why I've also = suggested being able to configure a connection to disallow multiple stateme= nts.

Together, being able to disable comments and restrict executions to single = statements would make it significantly more difficult for attackers to cond= uct injection attacks on APIs that use a connection configured this way.

-Glen

From:<= /b> Tom Lane <tgl@sss.pgh.pa.us>
Sent: Wednesday, June 4, 2025 4:05:56 p.m.
To: Glen K <glenk1973@hotmail.com>
Cc: pgsql-general@lists.postgresql.org <pgsql-general@lists.= postgresql.org>
Subject: Re: Feature request: Settings to disable comments and = multiple statements in a connection

Glen K <= ;glenk1973@hotmail.com> writes:
> My feature requests are thus:

> Provide a client connection option (and/or implement the backend suppo= rt) to disallow comments in SQL statements

I don't believe that this would move the needle on SQL-injection
safety by enough to be worth doing.  An injection attack is normally trying to break out of a quoted string, not a comment.

> Provide a client connection option (and/or implement the backend suppo= rt) to allow only one statement in an execute request

This exists already; you just have to use the extended query protocol.

> Provide an option in the client execute functions (and/or implement > the backend support) to specify the expected number of statements.

I don't see the need for this given #2.

            &nb= sp;           regards, to= m lane

--_000_BN0P223MB01527999F0D58FEB13757986A869ABN0P223MB0152NAMP_--