Database Query MCP Server

Instructions

Implementation Reference

• db-query-tool.js:204-243 (handler)

  The executeMySQL method in DatabaseQueryTool class implements the core handler logic for the 'query_mysql' tool. It validates the query is read-only, establishes a MySQL connection, executes the query, processes results, handles errors, and closes the connection.
  async executeMySQL(config) { const { querySql } = config; // 检查是否为只读查询 if (!this.isReadOnlyQuery(querySql)) { return { success: false, error: "不允许执行非只读操作。仅支持SELECT、SHOW、DESCRIBE等查询语句。", code: "READONLY_VIOLATION" }; } let connection; try { // 建立数据库连接 connection = await this.getMySQLConnection(config); // 执行查询 const result = await this.executeMySQLQuery(connection, querySql); // 返回结果 return { success: true, data: result.data, columns: result.columns, rowCount: result.rowCount }; } catch (error) { // 错误处理 return { success: false, error: error.message, code: error.code || 'DATABASE_ERROR' }; } finally { // 关闭数据库连接 await this.closeMySQLConnection(connection); } }
• mcp.full.config.js:33-73 (schema)

  Defines the tool metadata including name, description, input schema (with required fields: host, port, user, pwd, db, querySql), and annotations indicating read-only nature.
  query_mysql: { name: "query_mysql", description: "执行MySQL数据库查询（只读模式）", inputSchema: { type: "object", properties: { host: { type: "string", description: "数据库主机地址" }, port: { type: "integer", description: "数据库端口" }, user: { type: "string", description: "数据库用户名" }, pwd: { type: "string", description: "数据库密码" }, db: { type: "string", description: "数据库名称" }, querySql: { type: "string", description: "要执行的SQL查询语句（仅支持SELECT等只读操作）" } }, required: ["host", "port", "user", "pwd", "db", "querySql"] }, annotations: { title: "MySQL数据库查询工具（只读）", readOnlyHint: true, destructiveHint: false, idempotentHint: false, openWorldHint: false } },
• mcp-server.js:77-86 (registration)

  Registers the query_mysql tool (via config) in the list of available tools provided to MCP clients via ListToolsRequestSchema.
  server.setRequestHandler(ListToolsRequestSchema, async () => { return { tools: [ config.tools.query_mysql, config.tools.query_postgresql, config.tools.query_mssql, config.tools.query_oracle ] }; });
• mcp-server.js:35-54 (registration)

  In the CallToolRequestSchema handler, dispatches calls to 'query_mysql' by invoking dbTool.executeMySQL with the provided arguments.
  switch (request.params.name) { case config.tools.query_mysql.name: result = await dbTool.executeMySQL(request.params.arguments); break; case config.tools.query_postgresql.name: result = await dbTool.executePostgreSQL(request.params.arguments); break; case config.tools.query_mssql.name: result = await dbTool.executeMSSQL(request.params.arguments); break; case config.tools.query_oracle.name: result = await dbTool.executeOracle(request.params.arguments); break; default: throw new Error(`Unknown tool: ${request.params.name}`); }
• db-query-tool.js:23-71 (helper)

  Helper method used by the handler to validate that the provided SQL query is read-only (only allows SELECT, SHOW, etc., blocks DML/DDL).
  isReadOnlyQuery(sql) { // 转换为小写以便比较 const lowerSql = sql.trim().toLowerCase(); // 允许的只读操作关键词 const allowedPatterns = [ /^select/, /^show/, /^describe/, /^desc/, /^explain/, /^use/ ]; // 禁止的写操作关键词 const forbiddenPatterns = [ /insert/, /update/, /delete/, /drop/, /truncate/, /alter/, /create/, /replace/, /grant/, /revoke/, /commit/, /rollback/, /savepoint/, /set/ ]; // 检查是否包含禁止的关键词 for (const pattern of forbiddenPatterns) { if (pattern.test(lowerSql)) { return false; } } // 检查是否以允许的关键词开头 for (const pattern of allowedPatterns) { if (pattern.test(lowerSql)) { return true; } } // 如果既不明确允许也不明确禁止，默认为不安全 return false; }