Re: [HACKERS] Disallowing multiple queries per PQexec()

On 2017-02-28 15:59:08 +0100, Andreas Karlsson wrote:
> On 02/28/2017 03:13 PM, Bruce Momjian wrote:
> > I might have added that one; the text is:
> > 
> >     Consider disallowing multiple queries in PQexec()
> >     as an additional barrier to SQL injection attacks
> > 
> > and it is a "consider" item.  Should it be moved to the Wire Protocol
> > Changes / v4 Protocol section or removed?
> 
> A new protocol version wont solve the breakage of the C API, so I am not
> sure we can ever drop this feature other than by adding a new function
> something in the protocol to support this.

The protocol and C APIs to enforce this are already available, no? The
extended protocol (and thus PQexecParam/PQExecPrepared/...) don't allow
multiple statements:
/* * We only allow a single user statement in a prepared statement. This is * mainly to keep the protocol simple ---
otherwisewe'd need to worry * about multiple result tupdescs and things like that. */if (list_length(parsetree_list) >
1)   ereport(ERROR,            (errcode(ERRCODE_SYNTAX_ERROR),    errmsg("cannot insert multiple commands into a
preparedstatement")));
 

So if you don't want to allow multiple statements, use PQexecParams et
al.

- Andres