Reputation: 1017
Is there a way to disable the mysql -- comment syntax?
I recently had to investigate an SQL incursion and noticed how -- is a great help for an attacker. Considering it's not a very useful instrument in many web environments, but seems to add to the damage potential of such vulnerabilities, why not disable it? I couldn't find a way, hence the question.
Upvotes: 0
Views: 947
Answers (1)
Reputation: 1892
It is not possible to disable SQL comment parsing.
The correct solution is to ensure your application does not allow it to occur by always escaping user input, or better yet by using parametrised queries of some kind whether directly through the MySQL server API or through a user library that does it client-side.
Disabling comments may help a little, but it is very easy to do SQL injection without them, they can simply write the start of another complete query instead of commenting out the remainder of the statement.
If that is not practical for some reason, you may be able to consider the MySQL Enterprise Firewall (this is a commercial product and not open source) which allows you to setup a query whitelist: https://www.mysql.com/products/enterprise/firewall.html
Upvotes: 2
Related Questions
- MySQL and comments
- MySQL is not supporting single line comments here. What would be the reason?
- Mysql Client Option: How to Use –comments in mysql client
- Suppress MySQL warnings?
- How to make Emacs sql-mode recognize MySQL #-style comments?
- Where in the relevant specification is it documented that some comments in a SQL script are, in fact, to be executed as valid SQL (by MySQL)?
- Is it possible to disable specific, core, SQL statements?
- sql injection in comment field
- Embedding comments in MySQL statements
- How to disable MySQL comments for InnoDB with foreign keys?