Hello!
> I too am puzzled. Perhaps the app involves a web server accepting any
> bunch of text from anybody who knows the URL and just running the text
> as an SQL query -- i.e. read-only is perceived to be a last-ditch
> (only?) defence against an SQL injection attack.
There is "authorizer" callback for access control. See example below how to
deny some operations on any of opened databases:
sqlite3 db user.db
db eval {ATTACH DATABASE 'work.db' as work}
db authorizer authorizer
proc authorizer {args} {
set dbname [lindex $args 3]
set code [lindex $args 0]
set action [lindex $args 1]
if { $dbname ne {work}} {
return SQLITE_OK
}
if { $dbname eq {work} && [lin {SQLITE_READ SQLITE_SELECT} $code] == 1 }
{
return SQLITE_OK
}
ns_log Error "DENY DATABASE AUTORIZER\t$args"
return SQLITE_DENY
}
Were some problems with authorizer in tcl but now all bugs are closed. With
other langs you may test self.
Best regards.
_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
