Database MCP

Security

How Database MCP protects your data

Database MCP is designed with security as a primary concern. When you give an AI assistant access to your database, you need confidence that your data is protected. Here is how Database MCP keeps your data safe.

Read-Only Mode

By default, Database MCP runs in read-only mode. This controls which tools the AI assistant can see and use.

Tool-Level Access Control

In read-only mode, write tools (write_query, create_database) are not registered with the MCP client. The AI assistant never sees them in the tool list, which prevents it from attempting write operations entirely.

When read-only mode is disabled, the full tool set becomes available. See Features for the complete tool availability matrix.

SQL Validation in read_query

The read_query tool enforces AST-based SQL validation as defence-in-depth. Only the following SQL operations are permitted:

  • SELECT — read data from tables
  • SHOW — view database and table metadata
  • DESCRIBE / DESC — inspect table structure
  • USE — switch between databases
  • EXPLAIN — view query execution plans

This validation is always enforced, even when read-only mode is disabled, preventing write statements from being smuggled through the read tool.

Blocked Operations

The following are always blocked regardless of mode:

  • LOAD_FILE() — prevents reading files from the server filesystem
  • SELECT INTO OUTFILE / SELECT INTO DUMPFILE — prevents writing files to the server filesystem

SQL comments and string contents are stripped before validation to prevent bypass attempts.

Injection Prevention

Database MCP implements multiple layers of protection against SQL injection:

Multi-Statement Blocking

The server never enables multi-statement execution on database connections. This prevents an attacker from appending malicious statements (such as ; DROP TABLE users) to a legitimate query.

Parameterized Queries

User-provided values are never interpolated into SQL strings. All values are passed through parameterized queries, which ensures the database treats them as data rather than executable SQL.

Identifier Validation

Database and table names are validated to contain only alphanumeric characters and underscores. Names are then properly quoted using each database backend's native quoting mechanism, preventing injection through crafted identifiers.

Disabling Read-Only Mode

Read-only mode can be explicitly disabled if you need write access. Set the MCP_READ_ONLY environment variable to false or pass the --read-only false flag. This makes write_query and create_database (where supported) available to the AI assistant. Only disable read-only mode in environments where you trust the AI assistant to make changes to your data.

Features

Database support, MCP tools, transport modes, and security in Database MCP

License

Database MCP is released under the MIT License

On this page

Read-Only ModeTool-Level Access ControlSQL Validation in read_queryBlocked OperationsInjection PreventionMulti-Statement BlockingParameterized QueriesIdentifier ValidationDisabling Read-Only Mode