Re: [sqlite] 3.11.0: Tcl sqlite3 extension can't do variable interpolation _and_ json_extract

Sun, 11 Jun 2017 04:02:57 -0700 

% mydb eval "SELECT json FROM $table WHERE json_extract(json, '\$.hash') =
\$hash"
% mydb eval "SELECT json FROM $table WHERE json_extract(json, '$.hash') =
$hash"
{{"a": "b", "hash": 244718899}}

I know, I _really_ don't want Tcl interpolating $hash directly in here, but
sqlite3's Tcl package does not seem to be doing something with the variable
properly.

I even tried specifying $hash as a variable rather than just using set,
still no luck:

% variable hash 244718899
% $hash
invalid command name "244718899"
% mydb eval "SELECT json FROM $table WHERE json_extract(json, '$.hash') =
$hash"
{{"a": "b", "hash": 244718899}}
% mydb eval {SELECT json FROM NotImportant WHERE json_extract(json,
'$.hash') = $hash}
% mydb eval "SELECT json FROM $table WHERE json_extract(json, '\$.hash') =
\$hash"
%

And setting a variable to the query doesn't like it either:

% set query "SELECT json FROM $table WHERE json_extract(json, '\$.hash') =
\$hash"
SELECT json FROM NotImportant WHERE json_extract(json, '$.hash') = $hash
% mydb eval $query
%


On Fri, Jun 9, 2017 at 10:45 AM, Richard Hipp <d...@sqlite.org> wrote:

> On 6/9/17, Zach C. <fxc...@gmail.com> wrote:
> > I was partially unclear with using a constant table name here; what I
> > actually need as well is the table name as effectively a const that I
> > control as well. So more like
> >
> > mydb eval {$SELECT json FROM $table WHERE json_extract(json, '$.hash') =
> > $someId}
>
> Like this then:
>
>    mydb eval "SELECT json FROM $table WHERE
> json_extract(json,'\$.hash')=\$someId"
>
> Put a backslash \ before every $ that you want passed down into
> SQLite.  And not that you definitely want the $ on $someId passed down
> into SQLite.  You do *not* want TCL to expand $someId for you.
>
> >
> > The problem is this will cause $table to be interpolated as a SQL string,
> > which it is not: it is a table name. But even if I _do_ make the table
> name
> > a literal, as in this query:
> >
> > % set hash 24471899
> > 24471899
> > % mydb eval {SELECT json FROM NotImportant WHERE json_extract(json,
> > '$.hash') = $hash}
> >
> > _and_ I'm using curly-brace evaluation, the json_extract fails.
> >
> > It isn't JSON1 because if I _directly_ interpolate (introducing the
> > possibility of SQL injection) it works fine.
> >
> > Even if I make the JSON path its own variable and do the same, it fails:
> >
> > % set json_path {$.hash}
> > $.hash
> > % mydb eval {SELECT json FROM NotImportant WHERE json_extract(json,
> > $json_path) = $hash}
> > %
> >
> > So I'm kind of at a loss.
> >
>
>
> --
> D. Richard Hipp
> d...@sqlite.org
>
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to