Remove SQL injection warning for multiStatement in README #1430
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I can't really find any reference to the risk of SQL injections. This sets the clientMultiStatements flag (or CLIENT_MULTI_STATEMENTS in the C API). This comment was added in go-sql-driver#411, but without much explanation, and I can't find anything in e.g. go-sql-driver#66 or other issues either. The documentation for MySQL[1] or MariaDB[2] doesn't warn for SQL injections, and after some internet searching the only reference I found was in the PHP Docs[3]: The API functions mysqli::query() and mysqli::real_query() do not set a connection flag necessary for activating multi queries in the server. An extra API call is used for multiple statements to reduce the damage of accidental SQL injection attacks. An attacker may try to add statements such as ; DROP DATABASE mysql or ; SELECT SLEEP(999). So I assume this is what this comment refers to. This removes the comment, as discussed in go-sql-driver#1206. [1]: https://dev.mysql.com/doc/c-api/8.0/en/c-api-multiple-queries.html [2]: https://mariadb.com/kb/en/mysql_real_connect/ [3]: https://www.php.net/manual/de/mysqli.quickstart.multiple-statement.php
5 tasks
methane
reviewed
May 17, 2023
| @@ -295,7 +295,7 @@ Valid Values: true, false | |||
| Default: false | |||
| ``` | |||
|
|
|||
| Allow multiple statements in one query. While this allows batch queries, it also greatly increases the risk of SQL injections. Only the result of the first query is returned, all other results are silently discarded. | |||
| Allow multiple statements in one query. While this allows batch queries. Only the result of the first query is returned, all other results are silently discarded. | |||
There was a problem hiding this comment.
"While this..." paragraph doesn't make sense.
And "Only the..." paragraph is incorrect for now too.
I will rewrite this paragraph.
|
Please review #1431. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I can't really find any reference to the risk of SQL injections. This sets the clientMultiStatements flag (or CLIENT_MULTI_STATEMENTS in the C API).
This comment was added in #411, but without much explanation, and I can't find anything in e.g. #66 or other issues either.
The documentation for MySQL1 or MariaDB2 doesn't warn for SQL injections, and after some internet searching the only reference I found was in the PHP Docs3:
So I assume this is what this comment refers to.
This removes the comment, as discussed in #1206.
Description
Please explain the changes you made here.
Checklist