Jim Correia <[EMAIL PROTECTED]> wrote: > > Is a 1MB limit on the SQL intentional? > > Per my previous message, the comment in the source disagrees with the > value. > > Also, at the default value, .dump/.load will only support rows of > about 1/2 MB (to account for hex expansion), while the default limit > for BLOB columns is 1GB. > > In other words, independent of the solution to my current problem, > should the default value be changed in the trunk version of SQLite? >
The limits in SQLite (introduced in version 3.4.0) were added at the request of the Google Gears developers. Consider the situation that Gears and similar applications (such as Adobe AIR) are in. They have to accept generic SQL from untrusted sources on the open internet then run that SQL in a secure manner. It turns out that there were all kinds of attacks against SQLite if you feed it untrusted SQL. The introduction of hard limits on the size of strings and BLOBs and SQL statements is one part of our efforts to close holes in SQLite and make it proof against malicious SQL attacks. (We are not there yet, BTW, but we are much closer.) There are places in the SQLite parser and code generator which are O(N*N) where N is the size of the SQLite statement in tokens. By setting the SQL statement size limit to 1MB we reduce the opportunity to lauch a denial of service attack by injecting SQL that takes advantage of O(N*N) performance to bring your desktop to its knees. You should normally not be inserting megabyte-sized blobs and strings using raw SQL. Instead, use bound parameters: sqlite3_prepare("INSERT INTO tablexyz VALUES(:blobcontent)"); sqlite3_bind_blob(pStmt, 1, pBlobContent, SQLITE_STATIC); sqlite3_step(pStmt); Yes, this does create problems for .dump/.load in the shell. But, as has been pointed out, you can work around it using a compile-time switch: gcc -DSQLITE_MAX_SQL_LENGTH=1000000000 shell.c sqlite3.c -o sqlite3 I should probably modify the makefile to do this automatically... -- D. Richard Hipp <[EMAIL PROTECTED]> ----------------------------------------------------------------------------- To unsubscribe, send email to [EMAIL PROTECTED] -----------------------------------------------------------------------------