| From: | Andres Freund <andres(at)anarazel(dot)de> |
|---|---|
| To: | Andreas Karlsson <andreas(at)proxel(dot)se> |
| Cc: | Bruce Momjian <bruce(at)momjian(dot)us>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Surafel Temesgen <surafel3000(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Disallowing multiple queries per PQexec() |
| Date: | 2017-02-28 20:45:43 |
| Message-ID: | 20170228204542.5meaki23x74hpuzv@alap3.anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2017-02-28 15:59:08 +0100, Andreas Karlsson wrote:
> On 02/28/2017 03:13 PM, Bruce Momjian wrote:
> > I might have added that one; the text is:
> >
> > Consider disallowing multiple queries in PQexec()
> > as an additional barrier to SQL injection attacks
> >
> > and it is a "consider" item. Should it be moved to the Wire Protocol
> > Changes / v4 Protocol section or removed?
>
> A new protocol version wont solve the breakage of the C API, so I am not
> sure we can ever drop this feature other than by adding a new function
> something in the protocol to support this.
The protocol and C APIs to enforce this are already available, no? The
extended protocol (and thus PQexecParam/PQExecPrepared/...) don't allow
multiple statements:
/*
* We only allow a single user statement in a prepared statement. This is
* mainly to keep the protocol simple --- otherwise we'd need to worry
* about multiple result tupdescs and things like that.
*/
if (list_length(parsetree_list) > 1)
ereport(ERROR,
(errcode(ERRCODE_SYNTAX_ERROR),
errmsg("cannot insert multiple commands into a prepared statement")));
So if you don't want to allow multiple statements, use PQexecParams et
al.
- Andres
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jan Michálek | 2017-02-28 23:27:20 | Re: Other formats in pset like markdown, rst, mediawiki |
| Previous Message | Oleg Bartunov | 2017-02-28 20:29:21 | Re: SQL/JSON in PostgreSQL |