Hi,all
On website: https://wiki.postgresql.org/wiki/Todo#libpq
I found that in libpq module,there is a TODO case:
-------------------------------------------------------------------------------
Consider disallowing multiple queries in PQexec() as an additional barrier to SQL injection attacks
-------------------------------------------------------------------------------
I am interested in this one. So ,Had it be fixed?
If not, I am willing to do so.
In manual, I found that:
-----------------------------------------------------------------------------
Unlike PQexec, PQexecParams allows at most one SQL command in the given string. (There can be
semicolons in it, but not more than one nonempty command.) This is a limitation of the underlying
protocol, but has some usefulness as an extra defense against SQL-injection attacks.
-------------------------------------------------------------------------------
Maybe we can fix PQexec() just likes PQexecParams()?
I will try to fix it~
--
Best Regards
-----------------------------------------------------
Wu Fei
DX3
Software Division III
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
ADDR.: No.6 Wenzhu Road, Software Avenue,
Nanjing, 210012, China
TEL : +86+25-86630566-9356
COINS: 7998-9356
FAX: +86+25-83317685
MAIL:wufei.fnst@cn.fujitsu.com
http://www.fujitsu.com/cn/fnst/
---------------------------------------------------