This assignment is on todo list and has a benefit of providing an additional defense against SQL-injection attacks. Previous mailing list discussion is here <https://www.postgresql.org/message-id/9236.1167968...@sss.pgh.pa.us> and I attach a small patch that fix the issue by checking whether query string contains multiple sql commands without being a transaction block or not and emits appropriate error message in the case of non-transaction block multiple query string.
This patch tests using psql –c option i.e. if it’s not a transaction block and have multiple query string ,it emits appropriate error message. psql -c 'DECLARE myportal CURSOR FOR select * from pg_database;FETCH ALL in myportal;CLOSE myportal' postgres ERROR: cannot execute multiple commands unless it is a transaction block In a case of transaction block and single command query string it continue with normal execution psql -c 'BEGIN;DECLARE myportal CURSOR FOR select * from pg_database;FETCH ALL in myportal;CLOSE myportal;END' postgres COMMIT psql -c 'CREATE TABLE foo();' postgres CREATE TABLE Comments? Regards Surafel
disallow-multiple-queries-1.patch
Description: Binary data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
