Skip to main content

Preventing SQL Injection in MCP Tool Calls with Gateway Rules

MCP Manager
Updated

Intro

Use MCP Manager gateway rules to detect and block dangerous SQL patterns before they reach your database-connected MCP servers.

Who This Is For

If your MCP server connects to a SQL database — for example, a custom ConnectWise MCP server that executes queries against a backend database — you should apply gateway-level rules in MCP Manager to intercept and block tool call arguments that contain SQL injection patterns. This is especially important when AI agents or end users can influence the parameters passed to your MCP tools.

Regex Patterns Reference

The following patterns are designed to be applied as request blocking rules on your MCP Manager gateway. Each pattern matches against the content of tool call arguments (the params body of an MCP tools/call request). All patterns are case-insensitive.

Pattern 1 — Destructive DDL Statements Critical

Blocks DROP, ALTER, and TRUNCATE statements targeting database objects.

regex(?i)\b(DROP|ALTER|TRUNCATE)\s+(TABLE|DATABASE|SCHEMA|INDEX|VIEW|COLUMN|PROCEDURE|FUNCTION|TRIGGER)\b
BlocksAllows
DROP TABLE customers
ALTER TABLE orders ADD...
TRUNCATE TABLE logs		drop me a note (no SQL object keyword follows)
the table was altered (no SQL object keyword)

Pattern 2 — Data Modification (DELETE / UPDATE) Critical

Blocks DELETE FROM and UPDATE...SET statements.

regex(?i)\b(DELETE\s+FROM\s+\w|UPDATE\s+\w+\s+SET)\b
BlocksAllows
DELETE FROM users WHERE...
UPDATE accounts SET balance=0		delete the file
update me on the status

Pattern 3 — INSERT Statements High

Blocks INSERT INTO to prevent unauthorized data creation.

regex(?i)\bINSERT\s+INTO\s+\w

Pattern 4 — Command Execution Critical

Blocks EXEC/EXECUTE (stored procedures), xp_cmdshell (OS command execution), and sp_executesql (dynamic SQL). Particularly important for Microsoft SQL Server environments.

regex(?i)\b(EXEC(UTE)?(\s+|\()|xp_cmdshell|sp_executesql|xp_regread|xp_servicecontrol)\b

Pattern 5 — UNION-Based Injection Critical

Blocks UNION SELECT and UNION ALL SELECT, the most common technique for extracting data from other tables.

regex(?i)\bUNION\s+(ALL\s+)?SELECT\b

Pattern 6 — Privilege Escalation Critical

Blocks GRANT and REVOKE permission statements.

regex(?i)\b(GRANT|REVOKE)\s+(ALL|SELECT|INSERT|UPDATE|DELETE|EXECUTE|ALTER|CREATE|DROP)\b

Pattern 7 — Stacked Queries (Semicolon Injection) High

Blocks semicolons followed by SQL keywords — the classic technique for appending a second malicious statement to a legitimate query.

regex(?i);\s*(DROP|DELETE|UPDATE|INSERT|ALTER|TRUNCATE|EXEC|GRANT|REVOKE|CREATE|UNION)\b

Pattern 8 — SQL Comment Obfuscation Medium

Blocks inline SQL comments (/* ... */) and line comments (--) that attackers use to bypass other filters or comment out WHERE clauses.

regex(\/\*[\s\S]*?\*\/|--\s.*$)
 
ℹ️ Note on comment blocking: This pattern may produce false positives if your MCP tool legitimately passes comments or double-hyphens in text fields. Test with your specific tool's typical payloads before enabling in production. You may choose to skip this rule if your tools routinely handle free-text content.

Pattern 9 — Information Schema Reconnaissance High

Blocks queries against system catalog tables that attackers use to enumerate your database structure.

regex(?i)\b(INFORMATION_SCHEMA|sys\.(tables|columns|objects|procedures)|sysobjects|syscolumns)\b

Pattern 10 — Tautology / Always-True Conditions Medium

Blocks common always-true conditions used to bypass WHERE clauses (e.g., OR 1=1, OR 'a'='a').

regex(?i)\bOR\s+(['"]?\w+['"]?\s*=\s*['"]?\w+['"]?)\s*(--|;|$)

Consolidated Pattern (All-in-One)

If you prefer a single rule that covers the most critical patterns (1, 2, 4, 5, 6, and 7), use this combined regex:

regex — combined critical(?i)(\b(DROP|ALTER|TRUNCATE)\s+(TABLE|DATABASE|SCHEMA|INDEX|VIEW|COLUMN|PROCEDURE|FUNCTION|TRIGGER)\b|\b(DELETE\s+FROM\s+\w|UPDATE\s+\w+\s+SET)\b|\bINSERT\s+INTO\s+\w|\b(EXEC(UTE)?(\s+|\()|xp_cmdshell|sp_executesql)\b|\bUNION\s+(ALL\s+)?SELECT\b|\b(GRANT|REVOKE)\s+(ALL|SELECT|INSERT|UPDATE|DELETE|EXECUTE|ALTER|CREATE|DROP)\b|;\s*(DROP|DELETE|UPDATE|INSERT|ALTER|TRUNCATE|EXEC|GRANT|REVOKE|CREATE|UNION)\b)

The trade-off: a single combined rule is simpler to manage but harder to debug when a legitimate request is blocked. Individual rules let you see exactly which pattern triggered the block in your MCPM logs.

Applying Rules in MCP Manager

  1. Navigate to your Gateway in the MCP Manager dashboard.
  2. Open the Rules tab for the gateway.
  3. Click Add Rule.
  4. Configure the rule:
    • Detection method: Select Regular Expression to protect against SQL injection.
    • Matching patterns: Paste one of the regex patterns above.
    • Action: Block (or another option) — the gateway will reject the request before it reaches the MCP server.
  5. Repeat for each pattern you want to enforce, or use the consolidated pattern for a single rule.
  6. Test the rules by sending sample tool calls through the gateway with both malicious and legitimate payloads to verify expected behavior.

Architecture: Read-Only vs. Read-Write Gateways

For database-connected MCP servers, we strongly recommend creating separate gateways for different permission levels rather than a single gateway with complex conditional rules.

Read-Only Gateway (recommended default)

This gateway is for the majority of AI agent use cases — retrieving tickets, looking up customer records, running reports.

  • Apply all 10 patterns above plus an additional rule blocking any INSERT statement.
  • The underlying database account used by the MCP server should also have read-only permissions (SELECT only). The gateway rules are a second layer of defense.
  • Assign this gateway to teams and roles that only need to query the ConnectWise data.

Read-Write Gateway (restricted access)

This gateway allows controlled write operations — creating tickets, updating statuses, closing items.

  • Apply Patterns 1, 4, 5, 6, 7, 8, and 9 (DDL, command execution, UNION injection, privilege escalation, stacked queries, comment obfuscation, and schema reconnaissance).
  • Deliberately omit Patterns 2 and 3 (DELETE FROM, UPDATE...SET, INSERT INTO) since these are the operations you intend to allow.
  • Assign this gateway only to trusted teams or specific service accounts that need write access.
  • Enable audit logging on this gateway so all write operations are recorded and reviewable.
✅ Best Practice: Principle of Least Privilege: Default all users and agents to the read-only gateway. Only promote to the read-write gateway after explicit approval. This mirrors standard database access control — the gateway layer enforces it before requests ever reach your MCP server.
Read-Only GatewayRead-Write Gateway
DDL Blocking (DROP, ALTER, TRUNCATE)✅ Enabled✅ Enabled
DELETE FROM / UPDATE SET✅ Enabled❌ Omitted (allowed)
INSERT INTO✅ Enabled❌ Omitted (allowed)
EXEC / xp_cmdshell✅ Enabled✅ Enabled
UNION SELECT✅ Enabled✅ Enabled
GRANT / REVOKE✅ Enabled✅ Enabled
Stacked Queries✅ Enabled✅ Enabled
Comment Obfuscation✅ Enabled✅ Enabled
Schema Reconnaissance✅ Enabled✅ Enabled
Tautology Conditions✅ Enabled✅ Enabled
Typical AssignmentAll users & agents (default)Trusted teams / service accounts only
Audit LoggingRecommendedRequired

Limitations and Additional Recommendations

What regex-based rules cannot catch

  • Encoding-based evasion: Attackers can use URL encoding (%27 for single quote), Unicode substitution, or hex encoding (0x44524F50 for "DROP") to bypass pattern matching.
  • Database dialect variations: These patterns target ANSI SQL and T-SQL (Microsoft SQL Server). PostgreSQL, MySQL, and Oracle have dialect-specific injection vectors (e.g., pg_sleep(), LOAD_FILE(), UTL_HTTP) that require additional patterns.
  • Stored procedure abuse: If your MCP server calls stored procedures that internally build dynamic SQL, the gateway cannot inspect what happens inside the database.

Complementary defenses

  • Parameterized queries in your MCP server: This is the single most effective defense. Ensure your MCP server never concatenates user input directly into SQL strings.
  • Use the Presidio entity classification model for added protection: MCP Manager offers an out of the box solution for blocking and alerting based on a smart classification model that can help identify person names, credit cards, and access tokens without needing to define a strict regex match.
  • Least-privilege database accounts: The database user your MCP server connects with should have only the permissions it needs — ideally SELECT-only for read operations.
  • Input validation at the MCP server: Validate and sanitize tool call arguments within the MCP server code before they reach any query builder.
  • MCP Manager audit logging: Enable logging on your gateway to maintain a record of all tool calls. Review logs periodically for unusual patterns.
  • Human-in-the-loop for write operations: For high-risk actions, consider using MCPM's approval workflow to require human confirmation before write operations execute.
ℹ️ Need help configuring these rules? Contact MCP Manager support or your account team if you need assistance tailoring these patterns to your specific MCP server and database environment.

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk