Re: Feature request: Settings to disable comments and multiple statements in a connection
Adrian Klaver <adrian.klaver@aklaver.com>
From: Adrian Klaver <adrian.klaver@aklaver.com>
To: Glen K <glenk1973@hotmail.com>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Date: 2025-06-07T21:56:45Z
Lists: pgsql-general
On 6/7/25 14:18, Glen K wrote: >> I don't believe that this would move the needle on SQL-injection > safety by enough to be worth doing. An injection attack is normally > trying to break out of a quoted string, not a comment. > > Yes, SQL injections frequently involve escaping quoted strings, but if > you do a search for SQL injection examples, you will find that most of > them (I would say 90% or more) also use comments to remove the remainder > of the SQL statement from consideration. Here is one example where an > attacker specifies "admin'--;" as the username: > > SELECT * FROM members WHERE username = 'admin'--;' AND password = > 'password'; > > The comment in this example removes the password from inclusion in the > statement, allowing the attacker to login as admin without a password. Really? select username, first_name, last_name from auth_user where username = 'aklaver'; username | first_name | last_name ----------+------------+----------- aklaver | Adrian | Klaver select username, first_name, last_name from auth_user where username = 'aklaver--;' and password = 'password'; username | first_name | last_name ----------+------------+----------- (0 rows) What authentication system are you using that does not actually verify the password and allows entry for a zero return result? -- Adrian Klaver adrian.klaver@aklaver.com