Re: Feature request: Settings to disable comments and multiple statements in a connection

On Tue, 2025-06-10 at 10:02 +0200, Dominique Devienne wrote: > On Thu, Jun 5, 2025 at 1:06 AM Tom Lane wrote: > > > Provide a client connection option (and/or implement the backend support) > > > to allow only one statement in an execute request > > > > This exists already; you just have to use

Re: Feature request: Settings to disable comments and multiple statements in a connection

On Thu, Jun 5, 2025 at 1:06 AM Tom Lane wrote: > > Provide a client connection option (and/or implement the backend support) > > to allow only one statement in an execute request > > This exists already; you just have to use the extended query protocol. Hi Tom. Can you be more specific please? I

Re: Feature request: Settings to disable comments and multiple statements in a connection

Big -1. This is an application problem. Make the application smarter, not the parser dumber. Prepared statements have been around a long, long time. Cheers, Greg -- Crunchy Data - https://www.crunchydata.com Enterprise Postgres Software Products & Tech Support

Re: Feature request: Settings to disable comments and multiple statements in a connection

Glen K writes: >> I don't believe that this would move the needle on SQL-injection >> safety by enough to be worth doing. An injection attack is normally >> trying to break out of a quoted string, not a comment. > If 90% of injection attacks make use of comments (together with quoted string > e

Re: Feature request: Settings to disable comments and multiple statements in a connection

On 6/7/25 14:56, Adrian Klaver wrote: On 6/7/25 14:18, Glen K wrote:  I don't believe that this would move the needle on SQL-injection safety by enough to be worth doing.  An injection attack is normally trying to break out of a quoted string, not a comment. Yes, SQL injections frequently invo

Re: Feature request: Settings to disable comments and multiple statements in a connection

On 6/7/25 14:18, Glen K wrote: I don't believe that this would move the needle on SQL-injection safety by enough to be worth doing.  An injection attack is normally trying to break out of a quoted string, not a comment. Yes, SQL injections frequently involve escaping quoted strings, but if yo

Re: Feature request: Settings to disable comments and multiple statements in a connection

ne Sent: Wednesday, June 4, 2025 4:05:56 p.m. To: Glen K Cc: pgsql-general@lists.postgresql.org Subject: Re: Feature request: Settings to disable comments and multiple statements in a connection Glen K writes: > My feature requests are thus: > Provide a client connection option (and/o

Re: Feature request: Settings to disable comments and multiple statements in a connection

Am Wed, Jun 04, 2025 at 10:41:15PM + schrieb Glen K: > In my experience developing backends for APIs, I have > never come across a case where comments were needed or > desired within SQL statements generated for API requests, Being able to garnish with comments the SQL being sent to a backend

Re: Feature request: Settings to disable comments and multiple statements in a connection

On Thu, 5 Jun 2025 at 01:06, Tom Lane wrote: > ... An injection attack is normally > trying to break out of a quoted string, not a comment. I think the comments he refers to are more used to do "bobby tables" like stuff, as helpers in correct statement forming, not to inject per se. ( I do not t

Re: Feature request: Settings to disable comments and multiple statements in a connection

Glen K writes: > My feature requests are thus: > Provide a client connection option (and/or implement the backend support) to > disallow comments in SQL statements I don't believe that this would move the needle on SQL-injection safety by enough to be worth doing. An injection attack is normal

Feature request: Settings to disable comments and multiple statements in a connection

Given that most SQL injections involve use of comments and/or insertion of semi-colons to start a new statement, it seems to me that injection attacks could be substantially reduced if client connections could be configured t