claude-database-tools

The server implements strong SQL injection prevention for SELECT queries, using extensive keyword and pattern validation. DML operations (INSERT, UPDATE, DELETE) correctly utilize parameterized queries and enforce safety mechanisms like requiring a WHERE clause for updates/deletes and explicit confirmation for physical deletions. However, a critical security vulnerability exists in the implementation of read-only mode: the MCP server's tool listing relies on `process.env.READONLY`, while the core database operations (e.g., `InsertData`, `DeleteData`) check `process.env.READONLY_MODE`. If `READONLY=true` is set in the MCP server configuration (as per README) but `READONLY_MODE=true` is not also set in the server's `.env` file, the MCP client will only *list* read-only tools, but direct invocation of write tools via the MCP protocol could still succeed, bypassing the intended security restriction. This creates a false sense of security for read-only deployments.