Re: [sqlite] Securing user supplied SQL statements in a single process

Now, just for giggles here's the regex. It's for a simple SQL like Where clause query language. Hopefully it makes sense :) According to my work colleagues I am considered weird for enjoying writing a regex and they're certainly more fun than waiting for the election result ;) (This was for a

Re: [sqlite] Securing user supplied SQL statements in a single process

It was a very simple cutdown SQL (think just a where clause) and the regex was a multiline affair which picked out tokens using named groups. I then had a function that skipped whitespace tokens and returned the next token (group name) and the value (parsed and validated for dates and numeric

Re: [sqlite] Securing user supplied SQL statements in a single process

On 12/12/19, Warren Young wrote: > On Dec 12, 2019, at 6:08 AM, Mike King wrote: >> >> ...I decided on a simple subset of >> SQL and then wrote a parser using a regex as the tokeniser. > > First, [SQL is not a regular language][1], so it probably cannot be > completely parsed by regexes. Not by

Re: [sqlite] Securing user supplied SQL statements in a single process

On Dec 12, 2019, at 6:08 AM, Mike King wrote: > > ...I decided on a simple subset of > SQL and then wrote a parser using a regex as the tokeniser. First, [SQL is not a regular language][1], so it probably cannot be completely parsed by regexes. Not by a single regex without surrounding logic,

Re: [sqlite] Securing user supplied SQL statements in a single process

I had to do something similar. I’m the end I decided on a simple subset of SQL and then wrote a parser using a regex as the tokeniser. The output was SQL. By doing it this way I could validate field names and make sure all values were correctly formatted and escaped. Cheers On Thu, 12 Dec 2019

Re: [sqlite] Securing user supplied SQL statements in a single process

On 12/12/19, test user wrote: > Hello, > > How can I secure user supplied SQL statements in a single process? See https://www.sqlite.org/security.html for an introduction. Other suggestions: (1) Run the process that is evaluating user-supplied SQL in a sandbox, where it can do no harm if it

Re: [sqlite] Securing user supplied SQL statements in a single process

On Thu, Dec 12, 2019 at 1:47 PM test user wrote: > How can I secure user supplied SQL statements in a single process? > The one mechanism SQLite has is the authorizer [1]. Whether that's good enough for you, that's for you to determine. --DD [1] https://www.sqlite.org/c3ref/set_authorizer.html

[sqlite] Securing user supplied SQL statements in a single process

Hello, How can I secure user supplied SQL statements in a single process? For example, if I had a public web service that allows users to create their own SQL strings that I then run in a single server process, what are the chances that they would be able to obtain general remote code execution?