Re: [HACKERS] Disallowing multiple queries per PQexec()
| От | Surafel Temesgen |
|---|---|
| Тема | Re: [HACKERS] Disallowing multiple queries per PQexec() |
| Дата | |
| Msg-id | CALAY4q-6E+bhmibTq7b-QLZY04QtVZvbQprq3+2Y0FvV21vhXw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [HACKERS] Disallowing multiple queries per PQexec() (Jim Nasby <Jim.Nasby@BlueTreble.com>) |
| Список | pgsql-hackers |
As far as my understanding the issue at that time was inability to process creation
of a database and connecting to it with one query string and that can be solved by
fixing transaction restriction checks for CREATE DATABASE or disallowing multiple
queries in PQexe.
If the issue solved and allowing multiple queries in PQexec doesn’t result in SQL injection
attacks that worth backwards-compatibility breakage by itself the item can be drop or
included to v4 Protocol section if it contains items that break backwards-compatibility already
regards
surafel
On Thu, Mar 2, 2017 at 1:02 AM, Jim Nasby <Jim.Nasby@bluetreble.com> wrote:
On 2/28/17 2:45 PM, Andres Freund wrote:So if you don't want to allow multiple statements, use PQexecParams et
al.
That does leave most application authors out in the cold though, since they're using a higher level connection manager.
If the maintenance burden isn't terribly high it would be nice to allow disabling multiple statements via a GUC.
--
Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX
Experts in Analytics, Data Architecture and PostgreSQL
Data in Trouble? Get it in Treble! http://BlueTreble.com
855-TREBLE2 (855-873-2532)
В списке pgsql-hackers по дате отправления: