PolarProxy's SQL Firewall lets you block specific SQL statements or statement types before they reach your PolarDB for MySQL cluster. Use blacklist rules to prevent accidental or unauthorized data operations—such as unbounded DELETE or UPDATE statements, DDL commands, or specific SQL patterns identified during a security incident.
How it works
PolarProxy intercepts SQL statements at the proxy layer and compares them against your configured blacklist rules. Statements that match a rule are rejected with an error; all other statements pass through normally.
Three rule modes are available:
| Mode | How you define the block pattern | Best for |
|---|---|---|
| Fixed rule mode | Select built-in criteria in the console (statement type, missing WHERE clause, specific columns or functions, wildcard asterisks) | Blocking broad categories of risky statements across a cluster or account |
| Custom parameterized SQL mode | Run the target statement through PolarProxy with a special hint; PolarProxy generates a parameterized template that matches any value in the variable positions | Blocking a family of structurally identical statements, regardless of their literal values |
| Custom SQL mode | Run the exact statement through PolarProxy with a different hint | Blocking one specific statement; statements with different parameter values are not affected |
Prerequisites
Before you begin, ensure that you have:
A PolarDB for MySQL cluster with PolarProxy enabled
Access to the PolarDB console
Create a blacklist rule
Log on to the PolarDB console.
In the upper-left corner of the console, select the region where your cluster is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose Settings and Management > Security Management.
On the SQL Firewall tab, click Add in the upper-left corner.
In the Create a Rule dialog box, select a mode and configure the parameters.
Fixed rule mode
Configure the parameters described in the following table, then click OK.
Basic information
| Parameter | Required | Description |
|---|---|---|
| Rule Name | Yes | The rule name. Must contain only digits and letters, and be no longer than 30 characters. |
| Description | No | A description of the rule. No longer than 64 characters. |
| Endpoint | Yes | The endpoint to which the rule applies. |
Configurations
| Parameter | Required | Description |
|---|---|---|
| Rule Type | Yes | Select Blacklist Rule. |
| Current Mode | No | Set to Protection Mode. PolarProxy blocks SQL statements that match the rule. |
| Database Account Name | No | The database accounts the rule applies to. Options: All Accounts (applies to all accounts; leave the adjacent field blank), Include (applies only to the listed accounts; enter at least one account name), or Exclude (applies to all accounts except the listed ones; enter at least one account name). Account names must follow one of these formats: Username (example: user) or Username@IP address (example: user@10.0.0.0). Separate multiple names with commas (,). |
| **Block SQLs With Asterisks (*)** | No | Set to Enable to block statements that contain asterisks (*). |
| Block SQLs of Specific Types | No | Set to Enable to block statements of specific types. When enabled, select at least one type: CREATE, DROP, ALTER, TRUNCATE, RENAME, INSERT, UPDATE, SELECT, or DELETE. |
| Block SQLs Without WHERE | No | Set to Enable to block UPDATE, SELECT, or DELETE statements that have no WHERE clause. When enabled, select at least one type. This setting applies only to statements that reference at least one table name. For example, SELECT 1; is not blocked. |
| Block SQLs With Specific Columns | No | Set to Enable to block statements that reference specific columns. When enabled, choose All (all columns), Include (only the listed columns; enter at least one), or Exclude (all columns except the listed ones; enter at least one). |
| Block SQLs With Specific Functions | No | Set to Enable to block statements that call specific functions. When enabled, choose All (all functions), Include (only the listed functions; enter at least one), or Exclude (all functions except the listed ones; enter at least one). |
| Block SQLs With Specific Columns and Specific Functions | No | Set to Enable to block statements that match a combination of column and function criteria. Enter at least one function and one column name. The Function Name and Column Name parameters each support Include or Exclude. The following table shows how combinations interact. |
Function Name and Column Name combinations
| Function Name | Column Name | Statements blocked |
|---|---|---|
| Include | Include | Statements that contain the specified functions AND the specified columns |
| Include | Exclude | Statements that contain the specified functions AND do not contain the specified columns |
| Exclude | Include | Statements that do not contain the specified functions AND do contain the specified columns |
| Exclude | Exclude | Statements that contain neither the specified functions nor the specified columns |
Custom parameterized SQL mode
In custom parameterized SQL mode, PolarProxy generates a parameterized template from a real SQL statement you provide. The template replaces all literal values with ? placeholders, and PolarProxy blocks any future statement that matches the template structure—regardless of the actual values used.
Example: If you add select id from sqlblack_test where id = 1; to the blacklist, PolarProxy generates the template select id from sqlblack_test where id = ?. The question mark (?) in the template indicates any value.
In the Create a Rule dialog box, select Custom parameterized SQL mode. Configure the required parameters. For the Configurations section, you can disable all options.
Click OK.
Connect to the specified endpoint using the database account name defined in the rule.
Prefix the SQL statement you want to block with the
/* store_to_blacklist */hint and run it./* store_to_blacklist */ select id from sqlblack_test where id = 1;PolarProxy stores the parameterized template
select id from sqlblack_test where id = ?in theproxy_auditing.sql_listtable.Wait 5 seconds. After that, any statement matching the template is blocked. PolarProxy returns the following error:
ERROR 1141 (HY000): This SQL is rejected by SQL Firewall. Access denied for user 'xxx'@'x.x.x.x' to database 'xzh': This SQL is in blacklist bl_test.bl_testis the name of the blacklist rule table.
If you use the MySQL command line, add the-coption when connecting. Without-c, the MySQL client strips comment-style hints before sending the statement to the server, and/* store_to_blacklist */has no effect.
Custom SQL mode
In custom SQL mode, PolarProxy blocks only the exact statement you provide—including its specific parameter values. Statements with different values are not blocked.
In the Create a Rule dialog box, select Custom SQL mode. Configure the required parameters. For the Configurations section, you can disable all options.
Click OK.
Connect to the specified endpoint using the database account name defined in the rule.
Prefix the statement you want to block with the
/* orginal_store_to_blacklist */hint and run it./* orginal_store_to_blacklist */ update t set k = 2 where id = 2;PolarProxy stores this exact statement in the
proxy_auditing.org_sql_listtable.Wait 5 seconds. After that, running
update t set k = 2 where id = 2;on that cluster is blocked. Statements with different values, such asupdate t set k = 3 where id = 5;, are not affected. PolarProxy returns the following error when the matched statement is blocked:ERROR 1141 (HY000): This SQL is rejected by SQL Firewall. Access denied for user 'xxx'@'x.x.x.x' to database 'xzh': This SQL is in blacklist bl_test.
If you use the MySQL command line, add the-coption when connecting. Without-c, the MySQL client strips comment-style hints before sending the statement to the server, and/* orginal_store_to_blacklist */has no effect.
Enable or disable a blacklist rule
Log on to the PolarDB console.
In the upper-left corner of the console, select the region where your cluster is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose Settings and Management > Security Management.
On the SQL Firewall tab, find the rule and toggle Enable/Disable.
In the confirmation dialog, click OK.
To enable or disable multiple rules at once, select them in the rule list and then click Enable or Disable.
Modify a blacklist rule
Log on to the PolarDB console.
In the upper-left corner of the console, select the region where your cluster is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose Settings and Management > Security Management.
On the SQL Firewall tab, find the rule and click Modify in the Actions column.
In the Modify a Rule dialog box, update the parameters as needed, then click OK.
The rule name cannot be changed after creation. To update the SQL statements stored in a custom parameterized SQL mode rule or custom SQL mode rule, you must remove the statements directly from the underlying table and add them again. This cannot be done through the console.
Delete a blacklist rule
Log on to the PolarDB console.
In the upper-left corner of the console, select the region where your cluster is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose Settings and Management > Security Management.
On the SQL Firewall tab, find the rule and click Delete in the Actions column.
In the confirmation dialog, click OK.
To delete multiple rules at once, select them in the rule list and then click Delete.
Remove stored SQL statements from custom rules
Disabling or deleting a rule in the console stops enforcement, but the stored SQL statements remain in the underlying table. If you re-enable the rule later, PolarProxy resumes blocking based on those stored statements.
To fully remove the stored statements, connect to the primary node using the super administrator account and delete the relevant rows from the table directly.
Do not run a DROP statement against these tables. Only delete the specific rows you want to remove.
Custom parameterized SQL mode
Stored statements are in the proxy_auditing.sql_list table. Remove the relevant rows from this table. The template stops matching within 5 seconds.
Custom SQL mode
Stored statements are in the proxy_auditing.org_sql_list table. Remove the relevant rows from this table. The block stops applying within 5 seconds.