I need the ability to deny specific SQL operations (particularly ATTACH DATABASE) on a per-connection basis
SQLite provides sqlite3_set_authorizer() for this purpose. Other language bindings already expose it:
For the NIF, a full Erlang callback isn't practical since the authorizer is called synchronously during sqlite3_prepare(). Instead, a deny-list approach works well I think. The caller passes a list of action atoms to block, and a static C callback checks the list. This follows the same pattern as set_update_hook (config stored in the connection struct, C callback registered via SQLite API).
A PR implementing this is incoming, please review it carefully as I'm not the most experienced C dev in the world and would hate to be a cause of someone's SQL injection hack.
I need the ability to deny specific SQL operations (particularly
ATTACH DATABASE) on a per-connection basisSQLite provides
sqlite3_set_authorizer()for this purpose. Other language bindings already expose it:sqlite3.Connection.set_authorizer()SQLite3::setAuthorizer()For the NIF, a full Erlang callback isn't practical since the authorizer is called synchronously during
sqlite3_prepare(). Instead, a deny-list approach works well I think. The caller passes a list of action atoms to block, and a static C callback checks the list. This follows the same pattern asset_update_hook(config stored in the connection struct, C callback registered via SQLite API).A PR implementing this is incoming, please review it carefully as I'm not the most experienced C dev in the world and would hate to be a cause of someone's SQL injection hack.