Skip to main content
Glama
cesarvarela

PostgreSQL MCP Server

by cesarvarela
OverviewSchemaRelated ServersScoreDiscussions
TypeScript

execute-query

Execute parameterized SQL queries on PostgreSQL databases with built-in safety checks to prevent SQL injection. Supports SELECT, INSERT, UPDATE, and DELETE operations.

Instructions

Execute a parameterized SQL query with safety checks. Supports SELECT, INSERT, UPDATE, DELETE operations with parameter binding to prevent SQL injection.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
queryYes
paramsNo
explainNo

Implementation Reference

  • tools/executeQuery.ts:22-136 (handler)
    Core handler function for 'execute-query' tool: validates input, checks connection and SQL safety (blocks DROP/TRUNCATE/CREATE/INSERT, requires WHERE for UPDATE/DELETE), optionally runs EXPLAIN, executes query via executePostgresQuery, processes numeric results, formats response with query type, timing, row count.
    export async function executeQuery(
  rawParams: any
): McpToolResponse {
  try {
    // Validate and parse parameters
    const params = executeQuerySchema.parse(rawParams);
    
    // Check database connection status
    const connectionStatus = getConnectionStatus();
    if (connectionStatus.status !== 'connected') {
      return createDatabaseUnavailableResponse("execute SQL query");
    }
    
    const { query, params: queryParams, explain } = params;

    // Basic security checks
    const trimmedQuery = query.trim().toLowerCase();
    
    // Prevent dangerous operations
    const dangerousPatterns = [
      /drop\s+table/i,
      /drop\s+database/i,
      /drop\s+schema/i,
      /truncate\s+table/i,
      /alter\s+table.*drop/i,
      /alter\s+table.*add/i, // Prevent adding columns
      /create\s+table/i, // Prevent creating tables
      /insert\s+into/i, // Prevent data insertion for security
    ];

    // Check for DELETE/UPDATE without WHERE clause
    if (trimmedQuery.startsWith('delete from') && !trimmedQuery.includes(' where ')) {
      throw new Error(`DELETE without WHERE clause is not allowed for safety.`);
    }
    if (trimmedQuery.startsWith('update ') && trimmedQuery.includes(' set ') && !trimmedQuery.includes(' where ')) {
      throw new Error(`UPDATE without WHERE clause is not allowed for safety.`);
    }

    for (const pattern of dangerousPatterns) {
      if (pattern.test(query)) {
        throw new Error(`Potentially dangerous SQL operation detected. Query rejected for safety.`);
      }
    }


    const startTime = Date.now();
    let results: any[];
    let executionPlan: any[] | undefined;

    // Execute EXPLAIN if requested
    if (explain) {
      const explainQuery = `EXPLAIN (FORMAT JSON, ANALYZE, BUFFERS) ${query}`;
      try {
        executionPlan = await executePostgresQuery(explainQuery, queryParams);
      } catch (explainError) {
        debug("Failed to get execution plan: %o", explainError);
        // Continue with normal execution even if EXPLAIN fails
      }
    }

    // Execute the main query
    results = await executePostgresQuery(query, queryParams);
    const executionTime = Date.now() - startTime;

    // Convert numeric strings to numbers for better usability
    results = results.map(row => {
      const convertedRow: any = {};
      for (const [key, value] of Object.entries(row)) {
        if (typeof value === 'string' && value !== '' && !isNaN(Number(value))) {
          // Only convert if it's a proper numeric string
          const numValue = Number(value);
          if (Number.isInteger(numValue) || !Number.isNaN(numValue)) {
            convertedRow[key] = numValue;
          } else {
            convertedRow[key] = value;
          }
        } else {
          convertedRow[key] = value;
        }
      }
      return convertedRow;
    });

    // Determine query type
    let queryType = "SELECT";
    if (trimmedQuery.startsWith("insert")) {
      queryType = "INSERT";
    } else if (trimmedQuery.startsWith("update")) {
      queryType = "UPDATE";
    } else if (trimmedQuery.startsWith("delete")) {
      queryType = "DELETE";
    } else if (trimmedQuery.startsWith("create")) {
      queryType = "CREATE";
    } else if (trimmedQuery.startsWith("alter")) {
      queryType = "ALTER";
    }

    const response = {
      success: true,
      query_type: queryType,
      execution_time_ms: executionTime,
      row_count: results.length,
      data: results,
      results: results, // Add for backward compatibility with tests
      ...(executionPlan && { execution_plan: executionPlan }),
      executed_at: new Date().toISOString(),
    };

    debug("Query executed successfully: %s rows in %dms", results.length, executionTime);
    return createMcpSuccessResponse(response);

  } catch (error) {
    return createMcpErrorResponse("execute query", error);
  }
}
  • tools/executeQuery.ts:12-20 (schema)
    Zod schema defining inputs for execute-query: 'query' (required SQL string), 'params' (optional array of parameters), 'explain' (optional boolean for execution plan).
    // Zod schema for input validation
export const executeQueryShape: ZodRawShape = {
  query: z.string().min(1, "SQL query is required"),
  params: z.array(z.any()).optional().default([]),
  explain: z.boolean().optional().default(false),
};

export const executeQuerySchema = z.object(executeQueryShape);
  • index.ts:41-46 (registration)
    Registration of 'execute-query' tool in McpServer with description, input schema (executeQueryShape), and handler (executeQuery).
    server.tool(
  "execute-query",
  "Execute a parameterized SQL query with safety checks. Supports SELECT, INSERT, UPDATE, DELETE operations with parameter binding to prevent SQL injection.",
  executeQueryShape,
  executeQuery
);
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cesarvarela/postgres-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server