sql-server-mcp

The server implements robust security measures including: comprehensive SQL validation to block dangerous keywords (e.g., DROP DATABASE, xp_cmdshell) and suspicious patterns (e.g., SQL injection attempts); enforcement of parameterized queries; configurable maximum rows affected limits for write operations; explicit transaction management with timeouts and auto-rollback; separate read-only and read-write connection pools; and comprehensive audit logging for all operations. While string manipulation is used for stored procedure (SP) schema/name rewriting during draft management, it's applied after validation and is highly specific, mitigating broader injection risks. The test environment uses a hardcoded SA password, but the production server correctly relies on environment variables.