Techniques described herein improve database security by reducing network attack surface area in conjunction with deep input validation. In an embodiment, a database session receives one or more network packets sent via a network, the database session including a database session state that specifies one or more database privileges. The database session reads said one or more network packets into one or more request-packet-buffers, wherein said one or more request-packet-buffers include an RPC op code for a database operation. Based on the one or more database privileges associated with the user associated with the database session, the database session determines whether the RPC op code may be executed. In response to determining that the RPC op code may be executed by said database session, the RPC op code is executed. In response to determining that the op code may not be executed by said database session, the execution of the RPC op code is prevented.