Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uO1gO-00DoHA-M7
	for pgsql-general@arkaria.postgresql.org; Sat, 07 Jun 2025 22:06:32 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uO1gM-00FMEp-P8
	for pgsql-general@arkaria.postgresql.org; Sat, 07 Jun 2025 22:06:31 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1uO1gM-00FMEf-EY
	for pgsql-general@lists.postgresql.org; Sat, 07 Jun 2025 22:06:31 +0000
Received: from fout-b3-smtp.messagingengine.com ([202.12.124.146])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1uO1gL-000oPR-10
	for pgsql-general@lists.postgresql.org;
	Sat, 07 Jun 2025 22:06:30 +0000
Received: from phl-compute-09.internal (phl-compute-09.phl.internal [10.202.2.49])
	by mailfout.stl.internal (Postfix) with ESMTP id 9D1AB11400C2;
	Sat,  7 Jun 2025 18:06:28 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-09.internal (MEProxy); Sat, 07 Jun 2025 18:06:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm3; t=1749333988;
	 x=1749420388; bh=BUMEQ+k9znScdmuLH/3OmASNKGUP7vHOhJN/mLr1MXQ=; b=
	II1JAZwK6Fpo+yQPxUV93qeNx5KeysSHGL1B1d6HOouc+VCRpg6hEmV3rpwssyt8
	DbrsGxUwLIeoYwR0N9MXiJOsOq9bjBH65ZULxVAaQwUyGYWC4AGwm0EMqjsF+UB9
	a5bbBaa8JR/acyTnpvsFLcdQDh/K0JrVqYJxleWjczlqSm0Fm77L004gbwlEZmUr
	AMzyzebs09jhVwggObxpEdu3JqJnFrkjMkcrlr4eYJrvyDKfyTuGOCYWeHmithK/
	1x75xcDa7n/XAg69uUFxDovmVd4eFL1vmsLlKPBjOPNXvOlQ12lef/GHPN86Ixzh
	D/Aee1wLjfyQjRT4Hth7dw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1749333988; x=
	1749420388; bh=BUMEQ+k9znScdmuLH/3OmASNKGUP7vHOhJN/mLr1MXQ=; b=U
	wOHdMfA5fTrcn95KdnjtOrubFLyaLeQy38KlmqPF2KPqRamMwvhzCqbPxJvszL9v
	tKOcRkT5o3C+CKhKtOHLFT1FwJqk0flQyeAA/yUQ48Y8sqzrDaXYygnK89Iub8x4
	1Ph+lThrT9Ns2gKRLUVW/5kz068Jk7r5DNV4xqa+CYtU1lNXMOKuul6Pj3iMCLOC
	e0HSB0OV+mOYhS9Rv6JRS5DhdTMYV+EcJ7TIeOi5bQ2s8AaavFYBbpDz0wItsC/H
	EW1yF7mna9LHwbwyOMQ6VaO4BR7jJ6UVjNnJyVYJTlLdRx4mlMJCA8m9ncKH24iH
	3n2yjffpRYX46YtZct+ZQ==
X-ME-Sender: <xms:5LdEaFBu4uH_3R9eLkjhMhauboiotbTH1npCgO8XdYXVkOU7JA1_Nw>
    <xme:5LdEaDj0OvaSJtoHaYAbRTbW4gLmRNbDwEQYTlgY9uOSWa3FjixRTpXxchcV0KRor
    dIn3nL47aDwvHI>
X-ME-Received: <xmr:5LdEaAmkhHllAaDAscVt5pFJmUJhCkOyPktUkhbcwyvuHKIMleZi_ZMvalhzyLMVSN-SpvVNgfDtjKI6diU4FqG2XlNWkQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugdejuddtucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
    htshculddquddttddmnecujfgurhepkfffgggfuffhvfevfhgjtgfgsehtkeertddtvdej
    necuhfhrohhmpeetughrihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrh
    esrghklhgrvhgvrhdrtghomheqnecuggftrfgrthhtvghrnhepgeejkeefhffgudejhefh
    hfejkefgheeivdeujeejudfggfeggefftdfhtdeutdeknecuvehluhhsthgvrhfuihiivg
    eptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghk
    lhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpd
    hrtghpthhtohepghhlvghnkhduleejfeeshhhothhmrghilhdrtghomhdprhgtphhtthho
    pehtghhlsehsshhsrdhpghhhrdhprgdruhhspdhrtghpthhtohepphhgshhqlhdqghgvnh
    gvrhgrlheslhhishhtshdrphhoshhtghhrvghsqhhlrdhorhhg
X-ME-Proxy: <xmx:5LdEaPxZCTSuFE8w7qsbvCKQK-ilx-DfAE4t148swcTZhW6ZvGrdeQ>
    <xmx:5LdEaKR8Z0dgxZHybJNWPAgHPcYvLpgt3yGA6lOxrRr-9TTNHQabfA>
    <xmx:5LdEaCYGIgHg6EKeeuLwJrrms2K9P_jJS-VeorOfPwPUQnNyHtiuEg>
    <xmx:5LdEaLRTqB4taTHte66f4q-24MuhVBn4WlG-gaMvrkqsrzz7SXdPFw>
    <xmx:5LdEaOB0Kv5jFhtL0UdTAxTzA0dwJKb6QsJPfW9NYHGkyH7xfemANLuR>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
 7 Jun 2025 18:06:27 -0400 (EDT)
Message-ID: <f3121fe0-bd93-40c9-b176-05e6f1f04b69@aklaver.com>
Date: Sat, 7 Jun 2025 15:06:27 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Feature request: Settings to disable comments and multiple
 statements in a connection
From: Adrian Klaver <adrian.klaver@aklaver.com>
To: Glen K <glenk1973@hotmail.com>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
References: <BN0P223MB0152E29A351757553BB74C19A86CA@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
 <1079732.1749078352@sss.pgh.pa.us>
 <BN0P223MB01527999F0D58FEB13757986A869A@BN0P223MB0152.NAMP223.PROD.OUTLOOK.COM>
 <bbdb4e11-9743-4862-9a3c-f7cc7f5022d3@aklaver.com>
Content-Language: en-US
In-Reply-To: <bbdb4e11-9743-4862-9a3c-f7cc7f5022d3@aklaver.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/f3121fe0-bd93-40c9-b176-05e6f1f04b69%40aklaver.com>
Precedence: bulk

On 6/7/25 14:56, Adrian Klaver wrote:
> On 6/7/25 14:18, Glen K wrote:
>>>  I don't believe that this would move the needle on SQL-injection
>> safety by enough to be worth doing.  An injection attack is normally
>> trying to break out of a quoted string, not a comment.
>>
>> Yes, SQL injections frequently involve escaping quoted strings, but if 
>> you do a search for SQL injection examples, you will find that most of 
>> them (I would say 90% or more) also use comments to remove the 
>> remainder of the SQL statement from consideration. Here is one example 
>> where an attacker specifies "admin'--;" as the username:
>>
>> SELECT * FROM members WHERE username = 'admin'--;' AND password = 
>> 'password';
>>
>> The comment in this example removes the password from inclusion in the 
>> statement, allowing the attacker to login as admin without a password.
> 
> Really?
> 
> select username, first_name, last_name from auth_user where username = 
> 'aklaver';
> 
>   username | first_name | last_name
> ----------+------------+-----------
>   aklaver  | Adrian     | Klaver
> 
>   select username, first_name, last_name from auth_user where username = 
> 'aklaver--;' and password = 'password';
> 
>   username | first_name | last_name
> ----------+------------+-----------
> (0 rows)

Oops, missed a quote:

select username, first_name, last_name from auth_user where username = 
'aklaver'--;' and password = 'password';
production-#

Still I don't see how this would work, even if you add another ';' and got:

production=# select username, first_name, last_name from auth_user where 
username = 'aklaver'--;' and password = 'password';
production-# ;
  username | first_name | last_name
----------+------------+-----------
  aklaver  | Adrian     | Klaver



> 
> What authentication system are you using that does not actually verify 
> the password and allows entry for a zero return result?
> 
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com