Tom Lane wrote:
>Peter Kovacs <peter.kovacs@siemens.com> writes:
>
>
>>I think that the simplest thing would be to have an option in the
>>backend to disable processing of multiple statements in one query --
>>i.e. disallow the use of ';' as a separator of statements.
>>
>>
>
>FWIW, the new "extended query" protocol has exactly such a restriction.
>However that hardly excuses any sloppiness in allowing
>non-syntax-checked parameter values through. Consider changing
>"WHERE x < ?" to
>"WHERE x < 42 AND my_function_with_interesting_side_effects()"
>
>No semicolons in sight, but I can still clean out your bank balance ;-)
>
...and it would serve me right :(.
BTW, I presume that one can deny a user the right to create stored
procedures in PostgreSQL. Anyway, I now recognize that the issue is more
complicated than allowing';'.
Regards,
Peter
>
> regards, tom lane
>
>