Re: Prepared Statements

On Mon, 21 Jul 2003, Peter Kovacs wrote:

> I think that the simplest thing would be to have an option in the
> backend to disable processing of multiple statements in one query --
> i.e. disallow the use of ';' as a separator of statements. I am not sure
> why this feature (multiple statments in one query) is there anyway.
> "Reduce network roundtrips" is the usual reply, but, then, what is the
> purpose of stored procedures (functions in PostgreSQL)?
>

> From this perspective, the whole wrestling with "drop table..." and
> similar risks seem farily vain to me. At least, the driver is not the
> place to solve this kind of security problems which basically exist due
> to the wya the server behaves. Instead, the question should be asked: is
> the behaviour of the server optimal?. Do we need this feature
> (processing multiple, semi-colon separated statements)? Should not this
> feature be eventually optional?

The second statement type of attack is just one variant. Consider a query
that displayed a list of your orders. SELECT * FROM orders WHERE
userid='username'. Suppose I substituted a username of username' OR
true OR userid='. This is another injection attack that does not
require the backend to support multiple statements per query.

Kris Jurka