Note that parsing debug output is not a stable method of analysis (meaning SQlite Dev can change anything at whim), whereas the authorizer interface is documented.
Your implicit claim is "not all instances of column reference are reported to the authorizer, notably those inside a USING clause". -----Ursprüngliche Nachricht----- Von: sqlite-users [mailto:sqlite-users-boun...@mailinglists.sqlite.org] Im Auftrag von x Gesendet: Sonntag, 28. Juli 2019 13:49 An: SQLite mailing list <sqlite-users@mailinglists.sqlite.org> Betreff: Re: [sqlite] [EXTERNAL] Help with sqlite3TreeViewSelect The following simple example might illustrate what I’m trying to achieve CREATE TABLE tbl0 (a INTEGER PRIMARY KEY, b INTEGER); CREATE TABLE tbl1 (a INTEGER PRIMARY KEY, c INTEGER); Suppose a user enters the following sql SELECT b, c FROM tbl0 INNER JOIN tbl1 USING (a) WHERE a > ?1; I want to scan the sql, get the tables and columns associated with each ID token, check authorization and do some manipulation of my own. The sqlite3TreeViewSelect returns the following text '-- SELECT (1/2364128) selFlags=0xc4 nSelectRow=179 |-- result-set | |-- {0:1} flags=0x820000 | '-- {1:1} flags=0x820000 |-- FROM | |-- {0,*} tbl0 tab='tbl0' nCol=2 ptr=2421C68 | '-- {1,*} tbl1 tab='tbl1' nCol=2 ptr=2421D88 '-- WHERE '-- AND |-- GT | |-- {0:-1} flags=0x820000 | '-- VARIABLE(?1,1) '-- EQ |-- {0:-1} '-- {1:-1} From this text it would be easy to extract the equivalent sql SELECT t0.b, t1.c FROM tbl0 t0, tbl1 t1 WHERE t0.rowid > ?1 AND t0.rowid = t1.rowid; and I’ll know exactly what every table and column each token ID maps to. I can check the user is allowed to access these and then change any of the sql I want to before executing it. I could use the sqlite3_set_authorizer but the schema.table.column for each ID token isn’t sent to the authorizer callback in the order they appear in the sql. It also mysteriously omits some tokens. e.g. for above sql the authorizer wouldn’t receive a call for the ‘a’ column in USING (a) yet if the sql read SELECT b, c FROM tbl0 INNER JOIN tbl1 ON tbl0.a = tbl1.a WHERE tbl0.a > ?1; the authorizer callback would be called for tbl0.a and tbl1.a. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users ___________________________________________ Gunter Hick | Software Engineer | Scientific Games International GmbH | Klitschgasse 2-4, A-1130 Vienna | FN 157284 a, HG Wien, DVR: 0430013 | (O) +43 1 80100 - 0 May be privileged. May be confidential. Please delete if not the addressee. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
