PolarDB:sql_firewall

Phase 1: Learn your SQL patterns

1. Set the sql_firewall.firewall parameter to learning in the PolarDB console and restart the cluster.

2. Run your application under representative workloads. The extension records every SQL statement and adds it to the whitelist.

3. Allow enough time to capture the full range of SQL patterns your application executes.

Phase 2: Validate the whitelist

1. Set sql_firewall.firewall to permissive and restart the cluster.

2. Continue running your application. The extension executes all SQL statements but logs a warning for any statement not in the whitelist.

3. Review the warnings. For each flagged statement:

   • If legitimate, switch back to learning mode to add it to the whitelist.

   • If it looks like a high-risk or unexpected statement, investigate before proceeding.

4. Repeat until no unexpected warnings appear.

Phase 3: Enforce the whitelist

1. Set sql_firewall.firewall to enforcing and restart the cluster.

2. The extension now blocks any SQL statement not in the whitelist and returns an error to the caller.

GUC parameters

Functions

Views

`sql_firewall.sql_firewall_statements`

Returns all SQL statements in the whitelist and the number of times each statement was executed.

select * from sql_firewall.sql_firewall_statements;

Example output:

 userid |  queryid   |              query              | calls
--------+------------+---------------------------------+-------
     10 | 3294787656 | select * from k1 where uid = ?; |     4
(1 row)

`sql_firewall.sql_firewall_stat`

Returns the cumulative count of warnings generated in permissive mode (sql_warning) and errors generated in enforcing mode (sql_error).

select * from sql_firewall.sql_firewall_stat;

Example output:

 sql_warning | sql_error
-------------+-----------
           2 |         1
(1 row)

Validate that all application SQL is whitelisted before going live

Before switching to enforcing mode, confirm that your application's SQL patterns are in the whitelist. Run your application in permissive mode, then check for warnings:

select * from sql_firewall.sql_firewall_stat;

If sql_warning is greater than zero, review the flagged statements:

select * from sql_firewall.sql_firewall_statements;

Switch back to learning mode for any legitimate statements that were flagged, then return to permissive mode and repeat until sql_warning stays at zero.

Permissive mode: SQL injection attempt flagged but not blocked

In permissive mode, non-whitelisted SQL executes but triggers a warning. The query select * from k1 where uid = 3 or 1 = 1 is a classic SQL injection pattern — it is not in the whitelist, so a warning fires but the query still runs.

-- Whitelisted query: executes without warning
select * from k1 where uid = 1;
-- uid |    uname
-- -----+-------------
--   1 | Park Gyu-ri
-- (1 row)

-- Also whitelisted: executes without warning
select * from k1 where uid = 3;
-- uid |   uname
-- -----+-----------
--   3 | Goo Ha-ra
-- (1 row)

-- Not in whitelist: executes, but generates a warning
select * from k1 where uid = 3 or 1 = 1;
-- WARNING:  Prohibited SQL statement
-- uid |     uname
-- -----+----------------
--   1 | Park Gyu-ri
--   2 | Nicole Jung
--   3 | Goo Ha-ra
--   4 | Han Seung-yeon
--   5 | Kang Ji-young
-- (5 rows)

Enforcing mode: SQL injection attempt blocked

In enforcing mode, non-whitelisted SQL is blocked entirely.

-- Whitelisted query: executes normally
select * from k1 where uid = 3;
-- uid |   uname
-- -----+-----------
--   3 | Goo Ha-ra
-- (1 row)

-- Not in whitelist: blocked with an error
select * from k1 where uid = 3 or 1 = 1;
-- ERROR:  Prohibited SQL statement