Now, just for giggles here's the regex. It's for a simple SQL like Where
clause query language. Hopefully it makes sense :) According to my work
colleagues I am considered weird for enjoying writing a regex and they're
certainly more fun than waiting for the election result ;) (This was for a
It was a very simple cutdown SQL (think just a where clause) and the regex
was a multiline affair which picked out tokens using named groups. I then
had a function that skipped whitespace tokens and returned the next token
(group name) and the value (parsed and validated for dates and numeric
On 12/12/19, Warren Young wrote:
> On Dec 12, 2019, at 6:08 AM, Mike King wrote:
>>
>> ...I decided on a simple subset of
>> SQL and then wrote a parser using a regex as the tokeniser.
>
> First, [SQL is not a regular language][1], so it probably cannot be
> completely parsed by regexes. Not by
On Dec 12, 2019, at 6:08 AM, Mike King wrote:
>
> ...I decided on a simple subset of
> SQL and then wrote a parser using a regex as the tokeniser.
First, [SQL is not a regular language][1], so it probably cannot be completely
parsed by regexes. Not by a single regex without surrounding logic,
I had to do something similar. I’m the end I decided on a simple subset of
SQL and then wrote a parser using a regex as the tokeniser. The output was
SQL. By doing it this way I could validate field names and make sure all
values were correctly formatted and escaped.
Cheers
On Thu, 12 Dec 2019
On 12/12/19, test user wrote:
> Hello,
>
> How can I secure user supplied SQL statements in a single process?
See https://www.sqlite.org/security.html for an introduction.
Other suggestions:
(1) Run the process that is evaluating user-supplied SQL in a sandbox,
where it can do no harm if it
On Thu, Dec 12, 2019 at 1:47 PM test user
wrote:
> How can I secure user supplied SQL statements in a single process?
>
The one mechanism SQLite has is the authorizer [1].
Whether that's good enough for you, that's for you to determine. --DD
[1] https://www.sqlite.org/c3ref/set_authorizer.html
Hello,
How can I secure user supplied SQL statements in a single process?
For example, if I had a public web service that allows users to create
their own SQL strings that I then run in a single server process, what are
the chances that they would be able to obtain general remote code execution?
8 matches
Mail list logo