db-mcp

The server implements keyword filtering and requires queries to start with 'SELECT' or 'WITH' to enforce read-only operations. It correctly loads database credentials from environment variables and uses connection isolation by connecting and disconnecting for each query. However, the `validateReadOnly` function's deny-list is incomplete; it does not block keywords like `UNION` (which can be used for data exfiltration in a read-only context) or functions that could enable time-based or error-based SQL injection attacks (e.g., `pg_sleep`). Furthermore, the server passes the SQL query as a raw string to the database driver's `query` or `execute` method. While its intent is secure, it does not utilize parameterized queries for values, which is the most robust way to prevent SQL injection. This means if an AI assistant generates a 'SELECT' query with user-controlled input that isn't properly escaped by the AI itself, the server's validation might not catch all read-only injection vectors.