It was a very simple cutdown SQL (think just a where clause) and the regex was a multiline affair which picked out tokens using named groups. I then had a function that skipped whitespace tokens and returned the next token (group name) and the value (parsed and validated for dates and numeric values, strings were escaped).
Secondly, my code is designed to run on many databases not just SQLite and I don’t have access at the level you describe from a .Net driver. So using something specific to one manufacturer is not a good idea nor is writing custom code for each database. All this was possible and I just added my experiences to show it is possible with a little thought. Cheers On Thu, 12 Dec 2019 at 19:29, Warren Young <war...@etr-usa.com> wrote: > On Dec 12, 2019, at 6:08 AM, Mike King <making1...@gmail.com> wrote: > > > > ...I decided on a simple subset of > > SQL and then wrote a parser using a regex as the tokeniser. > > First, [SQL is not a regular language][1], so it probably cannot be > completely parsed by regexes. Not by a single regex without surrounding > logic, anyway. There’s probably valid SQL that will pass your regex but > give unwanted behavior. > > Second, you’re reinventing SQLite’s own authorizer, which runs based on > the output of SQLite’s own well-tested SQL parsing engine. (Which uses a > proper parser, not a regex.) > > Security is not an area where you want to roll your own logic. Use > someone else’s well-tested solution whenever you can. > > > [1]: https://stackoverflow.com/a/33415289/142454 > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
