Re: Willing to fix a PQexec() in libpq module

Hello.

At Tue, 19 Mar 2019 08:18:23 +0000, "Wu, Fei" <wufei(dot)fnst(at)cn(dot)fujitsu(dot)com> wrote in <52E6E0843B9D774C8C73D6CF64402F05621F0FFC(at)G08CNEXMBPEKD02(dot)g08(dot)fujitsu(dot)local>
> Hi,all
>
> On website: https://wiki.postgresql.org/wiki/Todo#libpq
> I found that in libpq module,there is a TODO case:
> -------------------------------------------------------------------------------
> Consider disallowing multiple queries in PQexec() as an additional barrier to SQL injection attacks
> -------------------------------------------------------------------------------
> I am interested in this one. So ,Had it be fixed?
> If not, I am willing to do so.
> In manual, I found that:
> -----------------------------------------------------------------------------
> Unlike PQexec, PQexecParams allows at most one SQL command in the given string. (There can be
> semicolons in it, but not more than one nonempty command.) This is a limitation of the underlying
> protocol, but has some usefulness as an extra defense against SQL-injection attacks.
>
> -------------------------------------------------------------------------------
> Maybe we can fix PQexec() just likes PQexecParams()?
>
> I will try to fix it~

I don't oppose that, but as the discussion linked from there [1],
psql already has a feature that sends multiple statements by one
PQexec() in two ways. Fixing it means making the features
obsolete.

psql db -c 'select 1; select 1;'

bash> psql db
db=> select 1\; select 1;

I couldn't find the documentation about the behavior..

[1] https://www.postgresql.org/message-id/9236.1167968298@sss.pgh.pa.us

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center