This assignment is on todo list and has a benefit of providing an additional defense against SQL-injection attacks. Previous mailing list discussion is here and I attach a small patch that fix the issue by checking whether query string contains multiple sql commands without being a transaction block or not and emits appropriate error message in the case of non-transaction block multiple query string.
This patch tests using psql –c option
i.e. if it’s not a transaction block and have multiple query string ,it emits appropriate error message.
psql -c 'DECLARE myportal CURSOR FOR select * from pg_database;FETCH ALL in myportal;CLOSE myportal' postgres
ERROR: cannot execute multiple commands unless it is a transaction block
In a case of transaction block and single command query string it continue with normal execution
psql -c 'BEGIN;DECLARE myportal CURSOR FOR select * from pg_database;FETCH ALL in myportal;CLOSE myportal;END' postgres
COMMIT
psql -c 'CREATE TABLE foo();' postgres
CREATE TABLE
Comments?
Regards
Surafel