Skip to content

v1.3.0: Read-only mode and security hardening

Latest

Choose a tag to compare

@kristofer84 kristofer84 released this 21 May 08:24

What's New

New Features

  • Server-side read-only mode — Set DB_READ_ONLY=true to disable all write and DDL tools at the server level. Write tools are hidden from the tool list and cannot be called, regardless of client configuration.

Security

  • SQL injection prevention — All table/column names are now properly quoted with quoteIdent, preventing injection via crafted identifiers.
  • Multi-statement query blockingquery_data now rejects queries containing multiple statements, preventing piggyback attacks.

Bug Fixes

  • Fixed semicolon false-positive — Semicolons inside string literals no longer trigger the multi-statement rejection.
  • update_data now accepts data parameter — Consistent with insert_data. The original values parameter still works.

Documentation

  • Added least-privilege database role examples (read-only and read-write) to README.
  • Documented DB_READ_ONLY configuration and security recommendations.

Full Changelog: v1.2.1...v1.3.0