Willing to fix a PQexec() in libpq module

Wu, Fei Tue, 19 Mar 2019 01:19:18 -0700

Hi,all

On website: https://wiki.postgresql.org/wiki/Todo#libpq
I found that in libpq module,there is a TODO case:
-------------------------------------------------------------------------------
Consider disallowing multiple queries in PQexec() as an additional barrier to 
SQL injection attacks
-------------------------------------------------------------------------------
I am interested in this one. So ,Had it be fixed?
If not, I am willing to do so.
In manual, I found that:
-----------------------------------------------------------------------------
Unlike PQexec, PQexecParams allows at most one SQL command in the given string. 
(There can be
semicolons in it, but not more than one nonempty command.) This is a limitation 
of the underlying
protocol, but has some usefulness as an extra defense against SQL-injection 
attacks.


-------------------------------------------------------------------------------
Maybe we can fix PQexec() just likes PQexecParams()?

I will try to fix it~


--
Best Regards
-----------------------------------------------------
Wu Fei
DX3
Software Division III
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
ADDR.: No.6 Wenzhu Road, Software Avenue,
       Nanjing, 210012, China
TEL  : +86+25-86630566-9356
COINS: 7998-9356
FAX: +86+25-83317685
MAIL:wufei.f...@cn.fujitsu.com
http://www.fujitsu.com/cn/fnst/
---------------------------------------------------

Willing to fix a PQexec() in libpq module

Reply via email to