Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uMwnR-007u6M-Vc for pgsql-general@arkaria.postgresql.org; Wed, 04 Jun 2025 22:41:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uMwnQ-000NmB-2D for pgsql-general@arkaria.postgresql.org; Wed, 04 Jun 2025 22:41:20 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uMwnP-000Nm3-HK for pgsql-general@lists.postgresql.org; Wed, 04 Jun 2025 22:41:20 +0000 Received: from mail-dm6nam12olkn20809.outbound.protection.outlook.com ([2a01:111:f403:2c17::809] helo=NAM12-DM6-obe.outbound.protection.outlook.com) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uMwnO-000FJ8-16 for pgsql-general@lists.postgresql.org; Wed, 04 Jun 2025 22:41:19 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pbq9pJxvYBBpNnsE20y1Smo/4H1CTbmSqkzvSHhTMdNiYID+rwIP/6byMtV/GXdEWNJeSWkR+soR7S94LyrFGrcuhpetvcTB2Q7ksremQFsvjgi3gelOqy7ZD1X/XidSM7cOwB2sohVlSj4f5KTs9yWLfVzIQkK0DIzmMNHovwXsJWsxdj/WMNUASM739fYvZeL6qysmYaYusW0WVHYw8ArUGFWMLSvIoLH6OJp53yz+V/ie5lgkl1W0GI15Df3jSrlUXMDTuODVMkehg7P6KGqZw3SA7dIoAnDbZMBZQB6g86bWhkdLzn03XFHMes+7y+ZoPbOevTAlvDYeQ/AEdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BGxvEZMieF9tCEHEjxPtzdhtsbrueIkm71HoG4a/l3E=; b=bSc/dbHzog6ch4aOT0u/g6x7duDryO38t05BX9PxoRlMQRX9Kx2GlM4mhUTASOHn0RCoEQtvfA2PE5ZGLyG+6MHiRU+Cmf5oNrzkrzrnPFjc9b99Tr5Dd4ksq0sl165t2l9oOqYni9mvRwFgb05h8YJl4YWqZDUhcLz8RBYEQtyOIvyQAlZ75hPPBjsBisIQ1VCQ7U49U+4w/Y7qJBQZvNMrHb0T73x34kHcZIIzsRc1wIPZMW7+nFR+k/61oRktU1Zh2vqAeTfu+zZRGDP+2vtalU7USJ6qxvOoxKD0mh9BoVQWpA7pBHpEr0e/lwjcAZn1CUW19HWeuJpOzfpe9w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BGxvEZMieF9tCEHEjxPtzdhtsbrueIkm71HoG4a/l3E=; b=L/qcsxEnlvi11ClN/h0KR0/w0shNLh5XJQZ75Il437zqGyfEAkbcXGXUE5j92ngiJ8/Pb1sPj4535qRNH/f7UMjVlKd8gLGXoh7dxMTgoKEzmT3gtQulc12czIj/9C+FVQZ2rosqWNOjIrG1WCiN3DBiVEuW4ToDtKtvJuidjKEHjGjRL4v2oBRMGOSRNCtCTmEGHLrU/6v+cdUi+vcK7OrAbFv5YotaHFF6QielFVJlkVe8OIFrfBGIC7zMa1mYsfYTgAArqrXCGGBzfBVDxVum282DI94Owo1Ewx8YUAU43SQ+sJL2roGB652qzT5Kj2z+O+W1ZLAcIojRvk50ZQ== Received: from BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM (2603:10b6:408:147::22) by LV8P223MB1179.NAMP223.PROD.OUTLOOK.COM (2603:10b6:408:223::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8813.20; Wed, 4 Jun 2025 22:41:15 +0000 Received: from BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM ([fe80::b511:49cd:3818:efc3]) by BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM ([fe80::b511:49cd:3818:efc3%2]) with mapi id 15.20.8813.018; Wed, 4 Jun 2025 22:41:15 +0000 From: Glen K To: "pgsql-general@lists.postgresql.org" Subject: Feature request: Settings to disable comments and multiple statements in a connection Thread-Topic: Feature request: Settings to disable comments and multiple statements in a connection Thread-Index: AQHb1ZfDO1JlPsq7fkWKpmZ80j278Q== Date: Wed, 4 Jun 2025 22:41:15 +0000 Message-ID: Accept-Language: en-CA, en-US Content-Language: en-CA X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-reactions: allow x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BN0P223MB0152:EE_|LV8P223MB1179:EE_ x-ms-office365-filtering-correlation-id: 954c4c4d-f078-4dbe-ce9e-08dda3b8ea2b x-ms-exchange-slblob-mailprops: znQPCv1HvwVynXBjwzppSyg5UUzSSfGPsJnx8qT8o6fbiqEyITR2Wm40OisXRmQHYA0c4m3GcWiYRl3PeKoUP/F2vPg/okqFOkoMCpA0D0sioBp5zMiXzPGD7MeDLLK8oIcBsTSVnFj5kqMpLK27k26bUj6LAG4Us/gAFnbWeMBae7d++ZlsjwMFtVYgORRIod3DIoHdxcWbPXt37fYna9OlWeLjYfn1RlqXY42uIM8cZvB/Kn1LUTBqKUhesLK1O3jlLxgpzxKW6f/PnFfKgEfFNbrqIeXfEl4veuSEl9mD23MN8e7ETw28eanq4NuXgY9cHNN6L28oFBFvtwgLaiN/hG6s6h/Q/wjAHc8xnaq2RNJPFDRE9Z5hsR6K3ResHLe2Z9iaQssOudQvh0eKhjy7AUugDdYmprAQ6bYjUsIdUSGjeO/6h/5Moz46KzrD9t7Fw+Y9LxqV55fE4wZP++viBIRcbKsgFW0aV2ZYxFu3VD2Y/wUC9OeqqKqsMFWIYsRvBd2pARwJ8JzRa6dQbSn5ZrEu+EM/W1HIYcsKNyKgIJr2OX8wMPKuxLWwOjD09lvsrkJfa+5oIcjs4+NyA31BcfYDDnVTbx+9CdHYf5Ga6LGH9PvigBVPRCNgqzSTesAzu8fYK2muQ0aJAG0UVQJE7OXcO+SrSNIT8etvrBC4vL0y5RNi3je5Il8RFVdgMAPxkqCsaQM8orzLiy+mmK9Uavpk60gcSUP0LVBDJNxg1vgXjX+14EpsJCeRcIH/bnep9D+F0dg= x-microsoft-antispam: BCL:0;ARA:14566002|19110799006|14030799003|9400799033|12121999007|12050799012|7092599006|8062599006|8060799009|15080799009|461199028|3412199025|440099028|10035399007|102099032|30101999003; x-microsoft-antispam-message-info: =?us-ascii?Q?KO6jMXM/TiX53dY7RooQXngyjXeibqXD8myGJ1nNxu/W1FH6ul4tUh2+CCP0?= =?us-ascii?Q?WHhEFBE0NF8IPEXu4FJtyFah/E+9KsbFM+tRaGe1z+g2TCAmkXYccXg52/3w?= =?us-ascii?Q?YsG9kkq56PZrWIFaGzBzM9T2yhuvtEISqWLvOGcG8WeDJAqkcsypsysaXp0c?= =?us-ascii?Q?BqhL+TTUwRtVyvjkgSDuNFJ+NGRtfOzgfl+eBeS8m632EmwyPWzslnzUiX0T?= =?us-ascii?Q?Ybdb8VV1WW22V96QNXr7YzkTr4DSFBe0uJIeKMvYVA1tUGEGGPo/czlNpgit?= =?us-ascii?Q?QtQDAY/tOnOa70PIOvexLO9KQfKL5CviLXu8bHmcxa1qQJArcFXwWXzuCy3N?= =?us-ascii?Q?xcWRYtmqocBebS7w5gzuzUXCJ1pWML9RNODbzL1MIDc5xC+LIw+Z9Z23gTRi?= =?us-ascii?Q?IsmedU4LoOhLF+WXpPc8H2654MjvsKFIcfcIQjFgnPBUTrBLGys7YZDc/ae0?= =?us-ascii?Q?cIgQP7II+onAKnE63mT36HdLjEiz0/Q2LnZzgdLP2NBNv0R0sFpidAWafIyQ?= =?us-ascii?Q?Q9/KUZv2ClhgfqgT8cWWFac8MpnZRfwwP4yY9zYclkIq8P8DN4vQY8UJ+iD3?= =?us-ascii?Q?bZ49DYlUokTmsDZA+Vgvkaky6tqamk1eKHQhYPPX6Px/MVojDgz61lvsfJSz?= =?us-ascii?Q?E1LTn1gpJVLTK9OpY0/V9bqquSABT3SLM+AVlJaJZQArVoDIO8mLAu5PoezP?= =?us-ascii?Q?LTAWbMfw/jvVm5MqFayI2DDeFEP8bF1Eg4Z8OiTamuYkCOhat8bR0ZtHcA25?= =?us-ascii?Q?wXHkXFrBzG/tNj9wtD4nTFYBGx5qSQ24RQ7yNIBe+yxk2/T3v+/RGrIYLWAv?= =?us-ascii?Q?ePEi1l8OTukf96l/yUbrXb8Ko2ONBLlTinPxocqkonvTVPqOgpIzft33RO4E?= =?us-ascii?Q?DG4RlaGO1XuP7YcDem7Ro5VKsxFCZhTM9zB6acEgvH52SA3G4lRSBCW2xq3e?= =?us-ascii?Q?J5LAmnypyh435K2UtiywP08SPNenlKIcYImwwZto7bhC/yyWrfgI/+D+/XHH?= =?us-ascii?Q?lSCba1Xgq5N3PXMU9+sFTkQJh1Oq0kt7Kf9Qi0guD4o99n8n+2dC5ws0vlCR?= =?us-ascii?Q?LNTBcQbMSpqUGUBQlbX6Wk2mJ8lWcxQakWjimiZFVxV+01VBCktSifj4Lulb?= =?us-ascii?Q?SzNcSflzKHAbdwJWd/RS+i1YiPD5xleintxikt586gWOC5d12AYB5aEAPzM/?= =?us-ascii?Q?ko1G5f7H6dhID+MoQfNlIijp3glyRwjfz2sjV0Jt9c9IpRubF99PLBJYjOPh?= =?us-ascii?Q?ocUTfjTxWx5l4TnviOpEv8VRd96hvOTtzv5NkncxB5xJWS9p3BmGatg3AwF8?= =?us-ascii?Q?E0wuI6HUcOHqEKWKDH9LUC50?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?AirkwjBKhKr0x03hr6XR3o2P5Nf4VkhSFDv3tNcktx1SFJ46cjwTPwnb754E?= =?us-ascii?Q?y5K50mlNP3wMGdtCseBGkiANhSrW+HT4Y9PpM7veSJ08jYLrGOrdCe7J/ubK?= =?us-ascii?Q?FetVdWgHrc7US8w9VlQ0jeK97hfZrmOtyZ57RAebrFmFR8Q68P4t8On4nqnB?= =?us-ascii?Q?djwyUdJRGkRPuq3IWRjIIucT6TP7P80kOcVZwlQxvJUsCMwuz7YMWXQizwIs?= =?us-ascii?Q?LdI3DTpgaUMW5ZHrWwR80jsFMHeHgRCztS3BIZ+kO1bQeehY2ui1md0I/cwR?= =?us-ascii?Q?fUy8HgvjjmVkmj7WcSEMFCpe0vJfs5IFRx2i0EbN6XA3f+2DT+OXpYnQMn7X?= =?us-ascii?Q?9Kfenu4OM0W88C9K8Xb7CrEfK0sXmqfG02Uu4LCWu+PQX3McAliMUedLmgm7?= =?us-ascii?Q?bagpuvrRbQFKnrRZL5YBQXYJN9VpRuHmo0aeIpCkd6jvD9jFX7ZsplslZUdM?= =?us-ascii?Q?NYfym4QGHo1gtafbCDw08/rgHej+hcRzPHZ3I+MCbW0BV4AVZW6pMNmzxNWK?= =?us-ascii?Q?rrRsBVRrJcV4LSiI3GjJujRFNsJNF6o1JYnsOLu7LJ8fCt/kY2qEW28RWbj+?= =?us-ascii?Q?lUl77T5ue635bmgfrTKBt1wBRT1eIWtJcFvfxokac2tODLA+lV6pL+ztHqki?= =?us-ascii?Q?qyiNB5jxLuAjGDfBcYmPeyS51fVfkTDJ7NhketEMh6R1OpPigkfTx7nXpKn2?= =?us-ascii?Q?lQ4KuudcbK2ZWrTvct7Y7LybuBke0cdPESYjKvjW7lWp8/vlxdQAh/zBYy6W?= =?us-ascii?Q?dcPrHfANWgoVA+bgiqI7vNdAOwi1OZcY1JPGJQ4oiWt9Y//GUCB8YTll9ipb?= =?us-ascii?Q?IBeUY53QX1HY6BHIDwuhuMkv0u5Kda4mnmziCcHY+asWDlSxuZNU+l5JN9oS?= =?us-ascii?Q?t0JNsFbFgp7Isdxan0+QkreuS+JrKo3asGU3+9iOCWIqQvy35q8wm31agzJ/?= =?us-ascii?Q?n8AgNVrzRpNKrTm1KY5KTn1f2pZe7tPnT0FSdFrkJcyczqDonux6YQgMXvKs?= =?us-ascii?Q?ldZJJtztkcwsmCFLGZ0m+MjC08hd8kY7yvPl5W6UUaPJJSos8zkpgmLpaB8t?= =?us-ascii?Q?AcInRXsVabot7hPqmoEZS8b9UEoPIEKKxenyPjkHtuBqcEoEMc2w/ZdY2jlH?= =?us-ascii?Q?B+XUAvuMM3xzV9DExgD8x/PcOAsEL4ef4MN+vDZOBcnsdrCU4HALQLp4x3ox?= =?us-ascii?Q?Kga8WfZjQZ2xm+0v3yXizquMLfRcL81aK3pPwpwjUw9eySXXh9wIL/oXK8ew?= =?us-ascii?Q?tthKpSaZjsau24/uIrHb?= Content-Type: multipart/alternative; boundary="_000_BN0P223MB0152E29A351757553BB74C19A86CABN0P223MB0152NAMP_" MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-8534-20-msonline-outlook-c7cf3.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 954c4c4d-f078-4dbe-ce9e-08dda3b8ea2b X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jun 2025 22:41:15.4290 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8P223MB1179 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --_000_BN0P223MB0152E29A351757553BB74C19A86CABN0P223MB0152NAMP_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Given that most SQL injections involve use of comments and/or insertion of semi-= colons to start a new statement, it seems to me that injection attacks coul= d be substantially reduced if client connections could be configured to dis= allow comments in SQL and to only allow one statement to be executed per re= quest. In my experience developing backends for APIs, I have never come acr= oss a case where comments were needed or desired within SQL statements gene= rated for API requests, and I'm not aware of any use cases where it was ess= ential to send two statements in the same execute request (but perhaps ther= e are). My feature requests are thus: * Provide a client connection option (and/or implement the backend support) t= o disallow comments in SQL statements * Provide a client connection option (and/or implement the backend support) t= o allow only one statement in an execute request * Provide an option in the client execute functions (and/or implement the bac= kend support) to specify the expected number of statements. This would over= ride the client connection option and would inhibit attackers from injectin= g additional statements Such features would not be an alternative to using parameterized queries, s= anitized user input or any other injection mitigation measures, but would p= rovide another layer of security on top of those measures. -Glen --_000_BN0P223MB0152E29A351757553BB74C19A86CABN0P223MB0152NAMP_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Given that most SQL injections involve use of comments and/or insertion of semi-co= lons to start a new statement, it seems to me that injection attacks could = be substantially reduced if client connections could be configured to disal= low comments in SQL and to only allow one statement to be executed per request. In my experience developing back= ends for APIs, I have never come across a case where comments were needed o= r desired within SQL statements generated for API requests, and I'm not awa= re of any use cases where it was essential to send two statements in the same execute request (but perhaps = there are).

My feature requests are thus:
  • Provide a client connection option (and/or implement the = backend support) to disallow comments in SQL statements
  • Provide a client connection option (and/or implement the = backend support) to allow only one statement in an execute request
  • Provide an option in the client execute functions (and/or implement the backend support) to specify the expected = number of statements. This would override the client connection option and = would inhibit attackers from injecting additional statements
Such features would not be an alternative to using parameterized queries, s= anitized user input or any other injection mitigation measures, but would p= rovide another layer of security on top of those measures.

-Glen
--_000_BN0P223MB0152E29A351757553BB74C19A86CABN0P223MB0152NAMP_--