Re: [sqlite] Registering a custom tokenizer per database rather than per connection
On Tue, Oct 12, 2010 at 8:40 AM, Drake Wilson wrote: > Just to clarify, a trigger isn't useful for this in general, because > you still have nowhere to get the function pointer from. Above I was > worrying that the current SQLite code might be less safe than it could > be as a result of allowing this in triggers by default. Since the tokenizer-registration code accepts an encoded pointer to a vtable, it probably should be considered unsafe to expose to users. For Gears and Chrome, where SQLite is exposed to web developers, we did manual tokenizer registration and disabled the SQL-based registration code. This can be done using authorizers. -scott ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Registering a custom tokenizer per database rather than per connection
Quoth Travis Orr , on 2010-10-12 08:17:38 -0700: > Drake Wilson said: > - However, it now occurs to me that it may be possible to use the > - fts3_tokenizer() function in a trigger, which is probably a bad thing > - when writing to untrusted databases. > > I suppose the only way to accomplish it would be to recompile sqlite3 > with my custom tokenizer in place. I think that may be more work that it > is worth. The idea of using a trigger is interesting, though I suspect > the performance hit from having to register the tokenizer on each > connection is minimal. Just to clarify, a trigger isn't useful for this in general, because you still have nowhere to get the function pointer from. Above I was worrying that the current SQLite code might be less safe than it could be as a result of allowing this in triggers by default. I wouldn't worry about the performance; the registration will likely be a minimal hit compared to setting up the connection in the first place. > Travis ---> Drake Wilson ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Registering a custom tokenizer per database rather than per connection
Drake Wilson said: - However, it now occurs to me that it may be possible to use the - fts3_tokenizer() function in a trigger, which is probably a bad thing - when writing to untrusted databases. I suppose the only way to accomplish it would be to recompile sqlite3 with my custom tokenizer in place. I think that may be more work that it is worth. The idea of using a trigger is interesting, though I suspect the performance hit from having to register the tokenizer on each connection is minimal. Travis -Original Message- From: sqlite-users-boun...@sqlite.org [mailto:sqlite-users-boun...@sqlite.org] On Behalf Of Drake Wilson Sent: October 8, 2010 9:02 PM To: General Discussion of SQLite Database Subject: Re: [sqlite] Registering a custom tokenizer per database rather than per connection Quoth Travis Orr , on 2010-10-08 13:37:25 -0700: > Is it possible to register a custom FTS3 tokenizer to be persistent in > the database so that it is available every time a connection is opened? Not really. How would this work? You open a database, and the function pointer for the tokenizer comes from... where? The physical pointer usually isn't guaranteed to be the same even for the same application running twice on the same machine. This would also have an impact on security: opening a database shouldn't allow it to access arbitrary C code from your program, and declaring which functions are allowed and which are not is just as much work as reregistering the tokenizer in the first place. However, it now occurs to me that it may be possible to use the fts3_tokenizer() function in a trigger, which is probably a bad thing when writing to untrusted databases. Hmm. ---> Drake Wilson ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Registering a custom tokenizer per database rather than per connection
Quoth Travis Orr , on 2010-10-08 13:37:25 -0700: > Is it possible to register a custom FTS3 tokenizer to be persistent in > the database so that it is available every time a connection is opened? Not really. How would this work? You open a database, and the function pointer for the tokenizer comes from... where? The physical pointer usually isn't guaranteed to be the same even for the same application running twice on the same machine. This would also have an impact on security: opening a database shouldn't allow it to access arbitrary C code from your program, and declaring which functions are allowed and which are not is just as much work as reregistering the tokenizer in the first place. However, it now occurs to me that it may be possible to use the fts3_tokenizer() function in a trigger, which is probably a bad thing when writing to untrusted databases. Hmm. ---> Drake Wilson ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] Registering a custom tokenizer per database rather than per connection
Is it possible to register a custom FTS3 tokenizer to be persistent in the database so that it is available every time a connection is opened? Or do I need to reregister the tokenizer every time I open a new connection to the database? Thanks Travis Orr IVL Audio Inc #3-6703 Rajpur Place Victoria BC V8M 1Z5 ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users