Hello. At Tue, 19 Mar 2019 08:18:23 +0000, "Wu, Fei" <wufei.f...@cn.fujitsu.com> wrote in <52E6E0843B9D774C8C73D6CF64402F05621F0FFC@G08CNEXMBPEKD02.g08.fujitsu.local> > Hi,all > > On website: https://wiki.postgresql.org/wiki/Todo#libpq > I found that in libpq module,there is a TODO case: > ------------------------------------------------------------------------------- > Consider disallowing multiple queries in PQexec() as an additional barrier to > SQL injection attacks > ------------------------------------------------------------------------------- > I am interested in this one. So ,Had it be fixed? > If not, I am willing to do so. > In manual, I found that: > ----------------------------------------------------------------------------- > Unlike PQexec, PQexecParams allows at most one SQL command in the given > string. (There can be > semicolons in it, but not more than one nonempty command.) This is a > limitation of the underlying > protocol, but has some usefulness as an extra defense against SQL-injection > attacks. > > ------------------------------------------------------------------------------- > Maybe we can fix PQexec() just likes PQexecParams()? > > I will try to fix it~
I don't oppose that, but as the discussion linked from there [1], psql already has a feature that sends multiple statements by one PQexec() in two ways. Fixing it means making the features obsolete. psql db -c 'select 1; select 1;' bash> psql db db=> select 1\; select 1; I couldn't find the documentation about the behavior.. [1] https://www.postgresql.org/message-id/9236.1167968...@sss.pgh.pa.us regards. -- Kyotaro Horiguchi NTT Open Source Software Center
