Hello! > I too am puzzled. Perhaps the app involves a web server accepting any > bunch of text from anybody who knows the URL and just running the text > as an SQL query -- i.e. read-only is perceived to be a last-ditch > (only?) defence against an SQL injection attack.
There is "authorizer" callback for access control. See example below how to deny some operations on any of opened databases: sqlite3 db user.db db eval {ATTACH DATABASE 'work.db' as work} db authorizer authorizer proc authorizer {args} { set dbname [lindex $args 3] set code [lindex $args 0] set action [lindex $args 1] if { $dbname ne {work}} { return SQLITE_OK } if { $dbname eq {work} && [lin {SQLITE_READ SQLITE_SELECT} $code] == 1 } { return SQLITE_OK } ns_log Error "DENY DATABASE AUTORIZER\t$args" return SQLITE_DENY } Were some problems with authorizer in tcl but now all bugs are closed. With other langs you may test self. Best regards. _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users