Clarify the documentation for multiStatement in the README #1206
Conversation
The current documentation for multiStatements in the README says: Allow multiple statements in one query. While this allows batch queries, it also greatly increases the risk of SQL injections. However, I can't really find any reference to the risk of SQL injections. This sets the clientMultiStatements flag (or CLIENT_MULTI_STATEMENTS in the C API). This comment was added in #411, but without much explanation, and I can't find anything in e.g. #66 or other issues either. The documentation for MySQL[1] or MariaDB[2] doesn't warn for SQL injections, and after some internet searching the only reference I found was in the PHP Docs[3]: The API functions mysqli::query() and mysqli::real_query() do not set a connection flag necessary for activating multi queries in the server. An extra API call is used for multiple statements to reduce the damage of accidental SQL injection attacks. An attacker may try to add statements such as ; DROP DATABASE mysql or ; SELECT SLEEP(999). So I assume this is what this comment refers to. This clarifies the comment, since the current phrasing is somewhat unclear and it took me a bit to find out what exactly this refers to. [1]: https://dev.mysql.com/doc/c-api/8.0/en/c-api-multiple-queries.html [2]: https://mariadb.com/kb/en/mysql_real_connect/ [3]: https://www.php.net/manual/de/mysqli.quickstart.multiple-statement.php
|
IMO, both of current doc and proposed doc is overestimate the effect of multi statement. If SQL injection is possible, there are some ways to attack it without multiple statement. (e.g. Actually speaking, MySQL security guideline don't recommend to disable muti queries. On the other hand, prepared statement doesn't accept multi-statement is more important information. It should be referred with |
|
Yeah, I agree. Both the PostgreSQL pq and go-sqlite3 driver just allow multi statements without fuss; AFAIK there isn't even a way to turn if off. But I figured that clarifying this was the smaller change. I can just remove it? |
Yes, please. |
I can't really find any reference to the risk of SQL injections. This sets the clientMultiStatements flag (or CLIENT_MULTI_STATEMENTS in the C API). This comment was added in go-sql-driver#411, but without much explanation, and I can't find anything in e.g. go-sql-driver#66 or other issues either. The documentation for MySQL[1] or MariaDB[2] doesn't warn for SQL injections, and after some internet searching the only reference I found was in the PHP Docs[3]: The API functions mysqli::query() and mysqli::real_query() do not set a connection flag necessary for activating multi queries in the server. An extra API call is used for multiple statements to reduce the damage of accidental SQL injection attacks. An attacker may try to add statements such as ; DROP DATABASE mysql or ; SELECT SLEEP(999). So I assume this is what this comment refers to. This removes the comment, as discussed in go-sql-driver#1206. [1]: https://dev.mysql.com/doc/c-api/8.0/en/c-api-multiple-queries.html [2]: https://mariadb.com/kb/en/mysql_real_connect/ [3]: https://www.php.net/manual/de/mysqli.quickstart.multiple-statement.php
|
I deleted the original fork, guess I forgot I had a PR on it, and it seems I can no longer edit it now :-/ I had to open a new PR for this: #1430 |
The current documentation for multiStatements in the README says:
However, I can't really find any reference to the risk of SQL
injections. This sets the clientMultiStatements flag (or
CLIENT_MULTI_STATEMENTS in the C API).
This comment was added in #411, but without much explanation, and I
can't find anything in e.g. #66 or other issues either.
The documentation for MySQL1 or MariaDB2 doesn't warn for SQL
injections, and after some internet searching the only reference I found
was in the PHP Docs3:
So I assume this is what this comment refers to.
This clarifies the comment, since the current phrasing is somewhat
unclear and it took me a bit to find out what exactly this refers to.
Description
Please explain the changes you made here.
Checklist