Skip to main content

Database Reader

The Database Reader tool executes read-only SQL queries against the Magento database. It supports SELECT, DESCRIBE, SHOW, and EXPLAIN statements.

Access control

Access to this tool is controlled by the MCP Tools -> Built in -> System -> Database Reader ACL resource. Enable or disable it in System -> Permissions -> User Roles -> [Role] -> Role Resources.

In addition to ACL-based access, the Database Reader enforces table-level security through multiple layers. Each layer is evaluated in order, and access is denied if any layer blocks the table:

  1. Default security blacklist: blocks tables containing admin credentials, OAuth secrets, sessions, passwords, tokens, and other sensitive data. Can be disabled (not recommended).

  2. Global patterns: admin-configured patterns from Settings. Applied in blacklist or whitelist mode as configured.

  3. Role-specific patterns: additional per-role restrictions configured on the role edit page. Applied on top of global settings.

Restricted tables are not only protected from querying but also hidden from discovery — SHOW TABLES results are automatically filtered to show only accessible tables.

note

In all layers, patterns are matched without the table prefix. For example, if your table prefix is prefix_, the pattern sales_* will match the table prefix_sales_order.

Parameters

ParameterDescriptionTypeRequired
querySQL query to execute. Use {{table_name}} syntax for automatic table prefix resolution.stringYes
limitMaximum number of rows to return. Default: 100, max: 1000. Only applies to SELECT queries without an existing LIMIT clause.integerNo

Table prefix syntax

Use double curly braces around table names to automatically apply the store's table prefix:

SELECT * FROM {{catalog_product_entity}} LIMIT 10

If your store has the prefix prefix_, this resolves to:

SELECT * FROM prefix_catalog_product_entity LIMIT 10

Auto-limit

If a SELECT query does not include a LIMIT clause, one is automatically added using the limit parameter (default: 100). This prevents accidentally returning millions of rows.

Allowed statements

Only read-only statements are permitted:

  • SELECT — query data
  • DESCRIBE / DESC — show table structure
  • SHOW — list tables, columns, indexes, etc.
  • EXPLAIN — show query execution plan

Write operations (INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE, etc.) are blocked.

Example queries

Count products:

SELECT COUNT(*) as total FROM {{catalog_product_entity}}

Show table structure:

DESCRIBE {{sales_order}}

List accessible tables:

SHOW TABLES

Query with joins:

SELECT o.increment_id, o.grand_total, o.created_at
FROM {{sales_order}} o
WHERE o.status = 'complete'
ORDER BY o.created_at DESC
LIMIT 5

Output

The tool returns:

  • row_count — number of rows returned
  • execution_time — query duration in milliseconds
  • columns — list of column names
  • rows — the result data

Settings

The Database Reader settings are located at Stores -> Configuration -> Mirasvit Extensions -> MCP Server -> Tools -> Database Reader.

tip

To apply changes, clear the Magento cache after modifying these settings.

  • Query Timeout (seconds): maximum execution time for SQL queries. If a query exceeds this limit, it is terminated. Valid range: 1-300 seconds. Default: 30.

  • Table Access Mode: defines how the table patterns list is interpreted.

    • Blacklist (default): tables matching the patterns are blocked. All other tables are accessible.
    • Whitelist: only tables matching the patterns are accessible. All other tables are blocked.

  • Table Patterns: one pattern per line. Use * as a wildcard. Examples:

    • sales_* — matches all tables starting with sales_
    • customer_entity — matches exact table name
    • catalog_* — matches all catalog tables

  • Include Default Security Blacklist: enables a built-in list of security patterns that block access to sensitive tables. Default: Yes.

warning

Disabling the default security blacklist may expose sensitive data including admin credentials, API tokens, OAuth secrets, and session data. Only disable this if you are using whitelist mode with a restrictive set of patterns.

  • Default Blacklist Patterns (read-only): displayed when the default blacklist is enabled. Shows all built-in patterns that protect sensitive tables.