I had to do something similar. I’m the end I decided on a simple subset of SQL and then wrote a parser using a regex as the tokeniser. The output was SQL. By doing it this way I could validate field names and make sure all values were correctly formatted and escaped.
Cheers On Thu, 12 Dec 2019 at 13:01, Richard Hipp <d...@sqlite.org> wrote: > On 12/12/19, test user <example.com.use...@gmail.com> wrote: > > Hello, > > > > How can I secure user supplied SQL statements in a single process? > > See https://www.sqlite.org/security.html for an introduction. > > Other suggestions: > > (1) Run the process that is evaluating user-supplied SQL in a sandbox, > where it can do no harm if it does malfunction. > > (2) Limit the SQL to verified users. Do not allow SQL from anonymous > robots on the internet. > > (3) Restrict the scope of SQL using the authorizer, if possible. > > (4) Always use the latest available version of SQLite with all the > latest patches. > > -- > D. Richard Hipp > d...@sqlite.org > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
