Re: Feature request: Settings to disable comments and multiple statements in a connection

public inbox for [email protected]  
help / color / mirror / Atom feed

Re: Feature request: Settings to disable comments and multiple statements in a connection
2+ messages / 1 participants
[nested] [flat]

* Re: Feature request: Settings to disable comments and multiple statements in a connection
@ 2025-06-07 21:56  Adrian Klaver <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Adrian Klaver @ 2025-06-07 21:56 UTC (permalink / raw)
  To: Glen K <[email protected]>; Tom Lane <[email protected]>; +Cc: [email protected] <[email protected]>

On 6/7/25 14:18, Glen K wrote:
>>  I don't believe that this would move the needle on SQL-injection
> safety by enough to be worth doing.  An injection attack is normally
> trying to break out of a quoted string, not a comment.
> 
> Yes, SQL injections frequently involve escaping quoted strings, but if 
> you do a search for SQL injection examples, you will find that most of 
> them (I would say 90% or more) also use comments to remove the remainder 
> of the SQL statement from consideration. Here is one example where an 
> attacker specifies "admin'--;" as the username:
> 
> SELECT * FROM members WHERE username = 'admin'--;' AND password = 
> 'password';
> 
> The comment in this example removes the password from inclusion in the 
> statement, allowing the attacker to login as admin without a password.

Really?

select username, first_name, last_name from auth_user where username = 
'aklaver';

  username | first_name | last_name
----------+------------+-----------
  aklaver  | Adrian     | Klaver

  select username, first_name, last_name from auth_user where username = 
'aklaver--;' and password = 'password';

  username | first_name | last_name
----------+------------+-----------
(0 rows)

What authentication system are you using that does not actually verify 
the password and allows entry for a zero return result?


-- 
Adrian Klaver
[email protected]







^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: Feature request: Settings to disable comments and multiple statements in a connection
@ 2025-06-07 22:06  Adrian Klaver <[email protected]>
  parent: Adrian Klaver <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Adrian Klaver @ 2025-06-07 22:06 UTC (permalink / raw)
  To: Glen K <[email protected]>; Tom Lane <[email protected]>; +Cc: [email protected] <[email protected]>

On 6/7/25 14:56, Adrian Klaver wrote:
> On 6/7/25 14:18, Glen K wrote:
>>>  I don't believe that this would move the needle on SQL-injection
>> safety by enough to be worth doing.  An injection attack is normally
>> trying to break out of a quoted string, not a comment.
>>
>> Yes, SQL injections frequently involve escaping quoted strings, but if 
>> you do a search for SQL injection examples, you will find that most of 
>> them (I would say 90% or more) also use comments to remove the 
>> remainder of the SQL statement from consideration. Here is one example 
>> where an attacker specifies "admin'--;" as the username:
>>
>> SELECT * FROM members WHERE username = 'admin'--;' AND password = 
>> 'password';
>>
>> The comment in this example removes the password from inclusion in the 
>> statement, allowing the attacker to login as admin without a password.
> 
> Really?
> 
> select username, first_name, last_name from auth_user where username = 
> 'aklaver';
> 
>   username | first_name | last_name
> ----------+------------+-----------
>   aklaver  | Adrian     | Klaver
> 
>   select username, first_name, last_name from auth_user where username = 
> 'aklaver--;' and password = 'password';
> 
>   username | first_name | last_name
> ----------+------------+-----------
> (0 rows)

Oops, missed a quote:

select username, first_name, last_name from auth_user where username = 
'aklaver'--;' and password = 'password';
production-#

Still I don't see how this would work, even if you add another ';' and got:

production=# select username, first_name, last_name from auth_user where 
username = 'aklaver'--;' and password = 'password';
production-# ;
  username | first_name | last_name
----------+------------+-----------
  aklaver  | Adrian     | Klaver



> 
> What authentication system are you using that does not actually verify 
> the password and allows entry for a zero return result?
> 
> 

-- 
Adrian Klaver
[email protected]







^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2025-06-07 22:06 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-06-07 21:56 Re: Feature request: Settings to disable comments and multiple statements in a connection Adrian Klaver <[email protected]>
2025-06-07 22:06 ` Adrian Klaver <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox