fix(prepare-db): add SQL injection protection to explain_generic (!121) · Merge requests · PostgresAI / postgresai

Summary

Add input validation to postgres_ai.explain_generic() function to prevent SQL injection
Reject empty/null queries
Detect and reject multiple statements (semicolon outside trailing position)
Strip trailing semicolons for convenience
Add comprehensive integration tests for the validation logic

Fixes #70

Changes

SQL injection protection (`cli/sql/05.helpers.sql`)

-- Input validation: reject empty queries
if query is null or trim(query) = '' then
  raise exception 'query cannot be empty';
end if;

-- Input validation: strip semicolons and anything after them
v_clean_query := trim(query);
if v_clean_query like '%;%' then
  v_clean_query := regexp_replace(v_clean_query, ';\s*$', '');
  if v_clean_query like '%;%' then
    raise exception 'query contains multiple statements (semicolon detected)';
  end if;
end if;

fix(prepare-db): add SQL injection protection to explain_generic

Summary

Changes

SQL injection protection (cli/sql/05.helpers.sql)

Merge request reports

SQL injection protection (`cli/sql/05.helpers.sql`)