Re: Feature request: Settings to disable comments and multiple statements in a connection

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Adrian Klaver <[email protected]>
To: Glen K <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
Date: Sat, 7 Jun 2025 14:56:45 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <BN0P223MB01527999F0D58FEB13757986A869A@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
References: <BN0P223MB0152E29A351757553BB74C19A86CA@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
	<[email protected]>
	<BN0P223MB01527999F0D58FEB13757986A869A@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>

On 6/7/25 14:18, Glen K wrote:
>>  I don't believe that this would move the needle on SQL-injection
> safety by enough to be worth doing.  An injection attack is normally
> trying to break out of a quoted string, not a comment.
> 
> Yes, SQL injections frequently involve escaping quoted strings, but if 
> you do a search for SQL injection examples, you will find that most of 
> them (I would say 90% or more) also use comments to remove the remainder 
> of the SQL statement from consideration. Here is one example where an 
> attacker specifies "admin'--;" as the username:
> 
> SELECT * FROM members WHERE username = 'admin'--;' AND password = 
> 'password';
> 
> The comment in this example removes the password from inclusion in the 
> statement, allowing the attacker to login as admin without a password.

Really?

select username, first_name, last_name from auth_user where username = 
'aklaver';

  username | first_name | last_name
----------+------------+-----------
  aklaver  | Adrian     | Klaver

  select username, first_name, last_name from auth_user where username = 
'aklaver--;' and password = 'password';

  username | first_name | last_name
----------+------------+-----------
(0 rows)

What authentication system are you using that does not actually verify 
the password and allows entry for a zero return result?


-- 
Adrian Klaver
[email protected]

view thread (2+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox