Hello.
At Tue, 19 Mar 2019 08:18:23 +0000, "Wu, Fei" <wufei.fnst@cn.fujitsu.com> wrote in
<52E6E0843B9D774C8C73D6CF64402F05621F0FFC@G08CNEXMBPEKD02.g08.fujitsu.local>
> Hi,all
>
> On website: https://wiki.postgresql.org/wiki/Todo#libpq
> I found that in libpq module,there is a TODO case:
> -------------------------------------------------------------------------------
> Consider disallowing multiple queries in PQexec() as an additional barrier to SQL injection attacks
> -------------------------------------------------------------------------------
> I am interested in this one. So ,Had it be fixed?
> If not, I am willing to do so.
> In manual, I found that:
> -----------------------------------------------------------------------------
> Unlike PQexec, PQexecParams allows at most one SQL command in the given string. (There can be
> semicolons in it, but not more than one nonempty command.) This is a limitation of the underlying
> protocol, but has some usefulness as an extra defense against SQL-injection attacks.
>
> -------------------------------------------------------------------------------
> Maybe we can fix PQexec() just likes PQexecParams()?
>
> I will try to fix it~
I don't oppose that, but as the discussion linked from there [1],
psql already has a feature that sends multiple statements by one
PQexec() in two ways. Fixing it means making the features
obsolete.
psql db -c 'select 1; select 1;'
bash> psql db
db=> select 1\; select 1;
I couldn't find the documentation about the behavior..
[1] https://www.postgresql.org/message-id/9236.1167968298@sss.pgh.pa.us
regards.
--
Kyotaro Horiguchi
NTT Open Source Software Center