What's New
New Features
- Server-side read-only mode — Set
DB_READ_ONLY=trueto disable all write and DDL tools at the server level. Write tools are hidden from the tool list and cannot be called, regardless of client configuration.
Security
- SQL injection prevention — All table/column names are now properly quoted with
quoteIdent, preventing injection via crafted identifiers. - Multi-statement query blocking —
query_datanow rejects queries containing multiple statements, preventing piggyback attacks.
Bug Fixes
- Fixed semicolon false-positive — Semicolons inside string literals no longer trigger the multi-statement rejection.
update_datanow acceptsdataparameter — Consistent withinsert_data. The originalvaluesparameter still works.
Documentation
- Added least-privilege database role examples (read-only and read-write) to README.
- Documented
DB_READ_ONLYconfiguration and security recommendations.
Full Changelog: v1.2.1...v1.3.0