uSQLite does not (generally) enter into the details of the query it is
passed. There is however an exception for security. uSQLite requires a
login and (depending on the user and network) assigns the user a level:
0: No access
1: Select only
2: Update/Insert only
3: Select/Update/Insert only
4: Power user
These rules are enforced by looking at the first word in a query, the
code is at the bottom of this post. My problem is that I allow multiple
queries to be concatented, and this is a useful feature for bulk inserts
and blocks of queries that must be executed atomicaly (Major hangup is
level 2 for remote updates inserts). However, with the present routine
I could do eg:
Select 1;Drop table foo
With user level 1. AFAIK it would be sufficient that I modify the
ChekLevel routine such that it will check the first word and each word
that follows a semicolon (but I must also skip quoted semicolons). Is
this correct? Or can anybody think of any scenarios where this would
not work?
int ChekLevel(char *query,int uselevel){
char *cur,*dur;
cur=query;
// strip lead
while((*cur<' ')&&(*cur))cur++;
// strncasecmp is the same as strncmp except that
// it ignores case. It is a GNU extension to the
// Clib which many other libs have.
if(!strncasecmp(cur,"SELECT",6))
return (uselevel<1)||(uselevel==2)?0:1;
if(!strncasecmp(cur,"UPDATE",6))
return uselevel<2? 0:1;
if(!strncasecmp(cur,"INSERT",6))
return uselevel<2? 0:1;
return uselevel<4? 0:1;
}
