Re: Feature request: Settings to disable comments and multiple statements in a connection
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Glen K <glenk1973@hotmail.com>
Cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Date: 2025-06-04T23:05:52Z
Lists: pgsql-general
Glen K <glenk1973@hotmail.com> writes: > My feature requests are thus: > Provide a client connection option (and/or implement the backend support) to disallow comments in SQL statements I don't believe that this would move the needle on SQL-injection safety by enough to be worth doing. An injection attack is normally trying to break out of a quoted string, not a comment. > Provide a client connection option (and/or implement the backend support) to allow only one statement in an execute request This exists already; you just have to use the extended query protocol. > Provide an option in the client execute functions (and/or implement > the backend support) to specify the expected number of statements. I don't see the need for this given #2. regards, tom lane