On Dec 12, 2019, at 6:08 AM, Mike King <making1...@gmail.com> wrote: > > ...I decided on a simple subset of > SQL and then wrote a parser using a regex as the tokeniser.
First, [SQL is not a regular language][1], so it probably cannot be completely parsed by regexes. Not by a single regex without surrounding logic, anyway. There’s probably valid SQL that will pass your regex but give unwanted behavior. Second, you’re reinventing SQLite’s own authorizer, which runs based on the output of SQLite’s own well-tested SQL parsing engine. (Which uses a proper parser, not a regex.) Security is not an area where you want to roll your own logic. Use someone else’s well-tested solution whenever you can. [1]: https://stackoverflow.com/a/33415289/142454 _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users