enhanced-postgres-mcp-server
by GarethCott
Overview
This server acts as a Model Context Protocol interface for PostgreSQL, enabling LLMs to query data, modify records, and manage database schema objects with read and write capabilities.
Installation
npx enhanced-postgres-mcp postgresql://localhost/mydbEnvironment Variables
- DATABASE_URL
Security Notes
The server has critical SQL injection vulnerabilities in several tools. While 'query' uses prepared statements for values, 'insert', 'update', and 'delete' directly concatenate table names and WHERE clauses, making them vulnerable. More critically, all schema management tools ('createTable', 'createFunction', 'createTrigger', 'createIndex', 'alterTable') construct SQL queries by directly concatenating LLM-provided string inputs (like table names, column definitions, function bodies, trigger conditions, and alter operations). This allows an LLM to generate arbitrary malicious SQL, leading to severe data corruption, unauthorized data access, or complete database destruction. The server relies on an external database URL which may contain credentials.
Similar Servers
MCP-PostgreSQL-Ops
The MCP server provides professional operations, monitoring, and management capabilities for PostgreSQL databases using natural language queries.
sqlite-mcp
A Model Context Protocol (MCP) server that enables LLMs to interact with SQLite databases by providing tools and resources for querying and managing data.
dx-mcp-server
Empowers AI applications to interact with and query a user-provided Postgres database via the Model Context Protocol (MCP).
mcp-postgres
Provides a read-only Model Context Protocol (MCP) server for AI tools (like Claude Code, Cursor) to query a PostgreSQL database directly.