[sqlite] WHERE clause analysis - find referenced columns

2009-03-03 Thread Alex Ousherovitch 
Hello list,

 

I need to implement a security model where certain columns (e.g. named
super_secret_key) will be hidden. 

This needs to be enforced not only for the requested result columns but
also for the columns referenced in the WHERE clause.

Is there a relatively simple way to either get each column referenced in
the WHERE clause or build a query that would check if the WHERE clause
(I could place it in a temporary table) contains the super_secret_key as
a column name, but not as a value.

 

Thank you,

Alex

 

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] WHERE clause analysis - find referenced columns

2009-03-04 Thread Alex Ousherovitch 
Hello list,

 

I need to implement a security model where certain columns (e.g. named
super_secret_key) will be hidden. 

This needs to be enforced not only for the requested result columns but
also for the columns referenced in the WHERE clause.

Is there a relatively simple way to either get each column referenced in
the WHERE clause or build a query that would check if the WHERE clause
(I could place it in a temporary table) contains the super_secret_key as
a column name, but not as a value.

 

Thank you,

Alex

 

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] WHERE clause analysis - find referenced columns

2009-03-03 Thread D. Richard Hipp 

On Mar 3, 2009, at 8:18 PM, Alex Ousherovitch wrote:

> Hello list,
>
>
>
> I need to implement a security model where certain columns (e.g. named
> super_secret_key) will be hidden.
>
> This needs to be enforced not only for the requested result columns  
> but
> also for the columns referenced in the WHERE clause.
>
> Is there a relatively simple way to either get each column  
> referenced in
> the WHERE clause or build a query that would check if the WHERE clause
> (I could place it in a temporary table) contains the  
> super_secret_key as
> a column name, but not as a value.
>


http://www.sqlite.org/c3ref/set_authorizer.html

This feature is used by systems such as

http://www.cvstrac.org/
http://www.fossil-scm.org/

to prevent unauthorized users from enters hostile SQL, or from  
entering SQL that uses sensitive information such as the "password"  
column of the "user" table.

D. Richard Hipp
d...@hwaci.com



___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] WHERE clause analysis - find referenced columns

2009-03-03 Thread Alex Ousherovitch 
Unfortunately, for the SQLITE_SELECT action code
(http://www.sqlite.org/c3ref/c_alter_table.html) the registered auth
callback will not get the column information.
It is only available for SQLITE_READ, which, I guess, is not what I need
- I would like prepare statement to fail if there are "hidden columns"
in the search criteria.
Is this possible?

 

> http://www.sqlite.org/c3ref/set_authorizer.html

> 

> This feature is used by systems such as

> 

>http://www.cvstrac.org/

>http://www.fossil-scm.org/

> 

> to prevent unauthorized users from enters hostile SQL, or from  

> entering SQL that uses sensitive information such as the "password"  

> column of the "user" table.

> 

> D. Richard Hipp

> drh at hwaci.com
 

 

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users