Use the documented and supported sqlite3_set_authorizer() function to achieve security vetting of SQL Statements. This calls a user-supplied function with the details of which tables and fields the user is attempting to access and if this is a read or write access.
-----Urspr?ngliche Nachricht----- Von: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite-users-bounces at mailinglists.sqlite.org] Im Auftrag von David Barrett Gesendet: Dienstag, 19. J?nner 2016 07:28 An: SQLite mailing list Betreff: Re: [sqlite] Wish list: allow developers use the power of sqliteparser One use of this I would like is to create a security framework around arbitrary SQL queries from the user. So, for example, I'd love to determine which tables (and which columns of those tables) a particular query is going to access, and then compare that list against a whitelist of columns the user is authorized to access. I'm not confident enough in my own parsing skills to make something foolproof, but if I were using the same exact parser as sqlite, then it would be impossible to "trick". Any suggestions on how to use the private Lemon parser methods to accomplish this? Thanks! -david On Mon, Jan 18, 2016 at 7:17 AM, Domingo Alvarez Duarte < sqlite-mail at dev.dadbiz.es> wrote: > Is this something crazy to ask as a developer ? > > I think that even for the author something like this would make > several tasks easier. > > Ideally I would like to feed the parser with an sql string, get it's > syntax tree, maybe do some rewrite and feed it execute it, this > possibility can open the door to amazing things. > > > > Thanks for all answers so far, I still want to hear any other idea > that can lead to achieve the original request ! > > > > Cheers ! > > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users at mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users ___________________________________________ Gunter Hick Software Engineer Scientific Games International GmbH FN 157284 a, HG Wien Klitschgasse 2-4, A-1130 Vienna, Austria Tel: +43 1 80100 0 E-Mail: hick at scigames.at This communication (including any attachments) is intended for the use of the intended recipient(s) only and may contain information that is confidential, privileged or legally protected. Any unauthorized use or dissemination of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by return e-mail message and delete all copies of the original communication. Thank you for your cooperation.
