Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uO1X4-00Dmbd-Mc for pgsql-general@arkaria.postgresql.org; Sat, 07 Jun 2025 21:56:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uO1X1-00FHn8-Ec for pgsql-general@arkaria.postgresql.org; Sat, 07 Jun 2025 21:56:52 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uO1X0-00FHn0-6N for pgsql-general@lists.postgresql.org; Sat, 07 Jun 2025 21:56:51 +0000 Received: from fout-b3-smtp.messagingengine.com ([202.12.124.146]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uO1Wy-000oLm-16 for pgsql-general@lists.postgresql.org; Sat, 07 Jun 2025 21:56:49 +0000 Received: from phl-compute-03.internal (phl-compute-03.phl.internal [10.202.2.43]) by mailfout.stl.internal (Postfix) with ESMTP id 18C6B11400C8; Sat, 7 Jun 2025 17:56:47 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-03.internal (MEProxy); Sat, 07 Jun 2025 17:56:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1749333406; x=1749419806; bh=V0GRKdSeelDSEoF1RK4RsPIrMFNa8Q999/vhLDJY0ak=; b= ehtBo1h9cxEobdOW9YZODrweQqm0Jryphj/En9mDzq/2yxx15ypXyeGHCLdWNzMp n5bxnD9BfboIAGgcB3anVgEaRaZn2vZUgr0RXLEiDZnGnTd0Fh3b5ey4cue9CpKe GrlPJ/8WlzzGhIERkrrFPHbxhtiMkv1W9zhS6vbOP4M3gkVtn7jPW67x3qXAfCbR QStz0BFmmGmuSK8pCBQ0Lg0OKs4e4GZQBxlL0bR4M74IPaTlfjcM17lXAi8G2iA0 1NlDMuwUfDKVkER7R/2/mtMTFPTwjQT3I7aqu2cE678lTXKcCnKm+hskPsS5IuRb uvrzUH1FP5wvA0xijgtboQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1749333406; x= 1749419806; bh=V0GRKdSeelDSEoF1RK4RsPIrMFNa8Q999/vhLDJY0ak=; b=Q bEXkoEqE/Fo9ftied81EzDvJEOcfDh1ujGsJ9T/WKZ36+FAZ9UhI3IcGrKR3B0hJ Ml4P3gvC8luBja4zPAkIue8qYW5+w7KYgF16v2bRl5yAuB+u0MidN6XN5tlSdHnC ndf6p7+mzHEtMCPtlkrJDPr+IHIrmmlCzp6fdaMdBVGcDrPM9JfLtCS5wg3RBkJ0 Jrg1PQTSgzWlvocVGZh6eLRMpJL62qWNiq96uOJ2F4mTL1upgbosCrArN7EutaZD V0hk0itVmoya46n+iE6411AiTvhY7I+dexNOWPoKqWdCUvWbZn4MhQHua1ioJarP VNhlt6bE8F4bHDtNN8P0Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugdejtdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepkfffgggfuffvvehfhfgjtgfgsehtkeertddtvdej necuhfhrohhmpeetughrihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrh esrghklhgrvhgvrhdrtghomheqnecuggftrfgrthhtvghrnhepfeegfeeiuedtgffgteeg gfehkeejheetieeliefgteeikeejvdeiveeigfehvedtnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghk lhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpd hrtghpthhtohepghhlvghnkhduleejfeeshhhothhmrghilhdrtghomhdprhgtphhtthho pehtghhlsehsshhsrdhpghhhrdhprgdruhhspdhrtghpthhtohepphhgshhqlhdqghgvnh gvrhgrlheslhhishhtshdrphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 7 Jun 2025 17:56:45 -0400 (EDT) Message-ID: Date: Sat, 7 Jun 2025 14:56:45 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection To: Glen K , Tom Lane Cc: "pgsql-general@lists.postgresql.org" References: <1079732.1749078352@sss.pgh.pa.us> Content-Language: en-US From: Adrian Klaver In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 6/7/25 14:18, Glen K wrote: >> I don't believe that this would move the needle on SQL-injection > safety by enough to be worth doing.  An injection attack is normally > trying to break out of a quoted string, not a comment. > > Yes, SQL injections frequently involve escaping quoted strings, but if > you do a search for SQL injection examples, you will find that most of > them (I would say 90% or more) also use comments to remove the remainder > of the SQL statement from consideration. Here is one example where an > attacker specifies "admin'--;" as the username: > > SELECT * FROM members WHERE username = 'admin'--;' AND password = > 'password'; > > The comment in this example removes the password from inclusion in the > statement, allowing the attacker to login as admin without a password. Really? select username, first_name, last_name from auth_user where username = 'aklaver'; username | first_name | last_name ----------+------------+----------- aklaver | Adrian | Klaver select username, first_name, last_name from auth_user where username = 'aklaver--;' and password = 'password'; username | first_name | last_name ----------+------------+----------- (0 rows) What authentication system are you using that does not actually verify the password and allows entry for a zero return result? -- Adrian Klaver adrian.klaver@aklaver.com