public inbox for [email protected]
help / color / mirror / Atom feedFrom: Adrian Klaver <[email protected]>
To: Glen K <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
Date: Sat, 7 Jun 2025 15:06:27 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <BN0P223MB0152E29A351757553BB74C19A86CA@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
<[email protected]>
<BN0P223MB01527999F0D58FEB13757986A869A@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
<[email protected]>
On 6/7/25 14:56, Adrian Klaver wrote:
> On 6/7/25 14:18, Glen K wrote:
>>> I don't believe that this would move the needle on SQL-injection
>> safety by enough to be worth doing. An injection attack is normally
>> trying to break out of a quoted string, not a comment.
>>
>> Yes, SQL injections frequently involve escaping quoted strings, but if
>> you do a search for SQL injection examples, you will find that most of
>> them (I would say 90% or more) also use comments to remove the
>> remainder of the SQL statement from consideration. Here is one example
>> where an attacker specifies "admin'--;" as the username:
>>
>> SELECT * FROM members WHERE username = 'admin'--;' AND password =
>> 'password';
>>
>> The comment in this example removes the password from inclusion in the
>> statement, allowing the attacker to login as admin without a password.
>
> Really?
>
> select username, first_name, last_name from auth_user where username =
> 'aklaver';
>
> username | first_name | last_name
> ----------+------------+-----------
> aklaver | Adrian | Klaver
>
> select username, first_name, last_name from auth_user where username =
> 'aklaver--;' and password = 'password';
>
> username | first_name | last_name
> ----------+------------+-----------
> (0 rows)
Oops, missed a quote:
select username, first_name, last_name from auth_user where username =
'aklaver'--;' and password = 'password';
production-#
Still I don't see how this would work, even if you add another ';' and got:
production=# select username, first_name, last_name from auth_user where
username = 'aklaver'--;' and password = 'password';
production-# ;
username | first_name | last_name
----------+------------+-----------
aklaver | Adrian | Klaver
>
> What authentication system are you using that does not actually verify
> the password and allows entry for a zero return result?
>
>
--
Adrian Klaver
[email protected]
view thread (2+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox