Do not support multiple statements for security and API reasons

clue · clue · commit 0edb22fe413b · 2018-06-15T20:56:07.000+02:00
diff --git a/src/ConnectionInterface.php b/src/ConnectionInterface.php
@@ -32,6 +32,11 @@ interface ConnectionInterface
      *
      *  function (QueryCommand $cmd, ConnectionInterface $conn): void
      *
+     * The given `$sql` parameter MUST contain a single statement. Support
+     * for multiple statements is disabled for security reasons because it
+     * could allow for possible SQL injection attacks and this API is not
+     * suited for exposing multiple possible results.
+     *
      * @return QueryCommand|null Return QueryCommand if $callback not specified.
      * @throws Exception if the connection is not initialized or already closed/closing
      */
diff --git a/src/Protocal/Parser.php b/src/Protocal/Parser.php
@@ -406,8 +406,6 @@ public function authenticate()
                 Constants::CLIENT_INTERACTIVE |
                 Constants::CLIENT_TRANSACTIONS |
                 Constants::CLIENT_SECURE_CONNECTION |
-                Constants::CLIENT_MULTI_RESULTS |
-                Constants::CLIENT_MULTI_STATEMENTS |
                 Constants::CLIENT_CONNECT_WITH_DB;
 
         $packet = pack('VVc', $clientFlags, $this->maxPacketSize, $this->charsetNumber)
diff --git a/tests/ResultQueryTest.php b/tests/ResultQueryTest.php
@@ -104,7 +104,7 @@ public function testSimpleSelect()
         $loop->run();
     }
 
-    public function testInvalidSelect()
+    public function testInvalidSelectShouldFail()
     {
         $loop = \React\EventLoop\Factory::create();
 
@@ -122,6 +122,22 @@ public function testInvalidSelect()
         $loop->run();
     }
 
+    public function testInvalidMultiStatementsShouldFailToPreventSqlInjections()
+    {
+        $loop = \React\EventLoop\Factory::create();
+
+        $connection = new \React\MySQL\Connection($loop, $this->getConnectionOptions());
+        $connection->connect(function () {});
+
+        $connection->query('select 1;select 2;', function ($command, $conn) {
+            $this->assertEquals(true, $command->hasError());
+            $this->assertContains("You have an error in your SQL syntax", $command->getError()->getMessage());
+        });
+
+        $connection->close();
+        $loop->run();
+    }
+
     public function testEventSelect()
     {
         $this->expectOutputString('result.result.results.end.');

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,11 @@ interface ConnectionInterface`
`32`	`32`	`*`
`33`	`33`	`* function (QueryCommand $cmd, ConnectionInterface $conn): void`
`34`	`34`	`*`
	`35`	+ * The given `$sql` parameter MUST contain a single statement. Support
	`36`	`+ * for multiple statements is disabled for security reasons because it`
	`37`	`+ * could allow for possible SQL injection attacks and this API is not`
	`38`	`+ * suited for exposing multiple possible results.`
	`39`	`+ *`
`35`	`40`	`* @return QueryCommand\|null Return QueryCommand if $callback not specified.`
`36`	`41`	`* @throws Exception if the connection is not initialized or already closed/closing`
`37`	`42`	`*/`