I had to do something similar. I’m the end I decided on a simple subset of SQL and then wrote a parser using a regex as the tokeniser. The output was SQL. By doing it this way I could validate field names and make sure all values were correctly formatted and escaped.
Cheers On Thu, 12 Dec 2019 at 13:01, Richard Hipp <[email protected]> wrote: > On 12/12/19, test user <[email protected]> wrote: > > Hello, > > > > How can I secure user supplied SQL statements in a single process? > > See https://www.sqlite.org/security.html for an introduction. > > Other suggestions: > > (1) Run the process that is evaluating user-supplied SQL in a sandbox, > where it can do no harm if it does malfunction. > > (2) Limit the SQL to verified users. Do not allow SQL from anonymous > robots on the internet. > > (3) Restrict the scope of SQL using the authorizer, if possible. > > (4) Always use the latest available version of SQLite with all the > latest patches. > > -- > D. Richard Hipp > [email protected] > _______________________________________________ > sqlite-users mailing list > [email protected] > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
