Jim Correia <[EMAIL PROTECTED]> wrote:
> 
> Is a 1MB limit on the SQL intentional?
> 
> Per my previous message, the comment in the source disagrees with the  
> value.
> 
> Also, at the default value, .dump/.load will only support rows of  
> about 1/2 MB (to account for hex expansion), while the default limit  
> for BLOB columns is 1GB.
> 
> In other words, independent of the solution to my current problem,  
> should the default value be changed in the trunk version of SQLite?
> 

The limits in SQLite (introduced in version 3.4.0) were added
at the request of the Google Gears developers.  Consider the
situation that Gears and similar applications (such as Adobe AIR)
are in.  They have to accept generic SQL from untrusted sources
on the open internet then run that SQL in a secure manner.  It
turns out that there were all kinds of attacks against SQLite
if you feed it untrusted SQL.  The introduction of hard
limits on the size of strings and BLOBs and SQL statements is
one part of our efforts to close holes in SQLite and make it
proof against malicious SQL attacks.  (We are not there yet,
BTW, but we are much closer.)

There are places in the SQLite parser and code generator which
are O(N*N) where N is the size of the SQLite statement in tokens.
By setting the SQL statement size limit to 1MB we reduce the
opportunity to lauch a denial of service attack by injecting
SQL that takes advantage of O(N*N) performance to bring your
desktop to its knees.  

You should normally not be inserting megabyte-sized blobs and
strings using raw SQL.  Instead, use bound parameters:

    sqlite3_prepare("INSERT INTO tablexyz VALUES(:blobcontent)");
    sqlite3_bind_blob(pStmt, 1, pBlobContent, SQLITE_STATIC);
    sqlite3_step(pStmt);

Yes, this does create problems for .dump/.load in the shell.
But, as has been pointed out, you can work around it using
a compile-time switch:

    gcc -DSQLITE_MAX_SQL_LENGTH=1000000000 shell.c sqlite3.c -o sqlite3

I should probably modify the makefile to do this automatically...
--
D. Richard Hipp <[EMAIL PROTECTED]>


-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------

Reply via email to