The following simple example might illustrate what I’m trying to achieve
CREATE TABLE tbl0 (a INTEGER PRIMARY KEY, b INTEGER);
CREATE TABLE tbl1 (a INTEGER PRIMARY KEY, c INTEGER);
Suppose a user enters the following sql
SELECT b, c FROM tbl0 INNER JOIN tbl1 USING (a) WHERE a > ?1;
I want to scan the sql, get the tables and columns associated with each ID
token, check authorization and do some manipulation of my own. The
sqlite3TreeViewSelect returns the following text
'-- SELECT (1/2364128) selFlags=0xc4 nSelectRow=179
|-- result-set
| |-- {0:1} flags=0x820000
| '-- {1:1} flags=0x820000
|-- FROM
| |-- {0,*} tbl0 tab='tbl0' nCol=2 ptr=2421C68
| '-- {1,*} tbl1 tab='tbl1' nCol=2 ptr=2421D88
'-- WHERE
'-- AND
|-- GT
| |-- {0:-1} flags=0x820000
| '-- VARIABLE(?1,1)
'-- EQ
|-- {0:-1}
'-- {1:-1}
From this text it would be easy to extract the equivalent sql
SELECT t0.b, t1.c FROM tbl0 t0, tbl1 t1 WHERE t0.rowid > ?1 AND t0.rowid =
t1.rowid;
and I’ll know exactly what every table and column each token ID maps to. I can
check the user is allowed to access these and then change any of the sql I want
to before executing it.
I could use the sqlite3_set_authorizer but the schema.table.column for each ID
token isn’t sent to the authorizer callback in the order they appear in the
sql. It also mysteriously omits some tokens.
e.g. for above sql the authorizer wouldn’t receive a call for the ‘a’ column in
USING (a) yet if the sql read
SELECT b, c FROM tbl0 INNER JOIN tbl1 ON tbl0.a = tbl1.a WHERE tbl0.a > ?1;
the authorizer callback would be called for tbl0.a and tbl1.a.
_______________________________________________
sqlite-users mailing list
[email protected]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
