fergalmoran/ladybird
1
0
Fork 0
mirror of https://github.com/fergalmoran/ladybird.git synced 2025-12-25 10:48:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

LibSQL: Parse and execute sequential placeholder values

Browse Source 
This partially implements SQLite's bind-parameter expression to support
indicating placeholder values in a SQL statement. For example:

    INSERT INTO table VALUES (42, ?);

In the above statement, the '?' identifier is a placeholder. This will
allow clients to compile statements a single time while running those
statements any number of times with different placeholder values.

Further, this will help mitigate SQL injection attacks.
This commit is contained in:
Timothy Flynn
2022-12-01 22:20:55 -05:00
committed by Andreas Kling
parent 53f8d62ea4
commit b2b9ae27fd
10 changed files with 154 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Tests/LibSQL/TestSqlStatementParser.cpp
View File

@@ -752,6 +752,13 @@ TEST_CASE(nested_subquery_limit)
EXPECT(parse(DeprecatedString::formatted("SELECT * FROM ({});"sv, subquery)).is_error());
}
TEST_CASE(bound_parameter_limit)
{
auto subquery = DeprecatedString::repeated("?, "sv, SQL::AST::Limits::maximum_bound_parameters);
EXPECT(!parse(DeprecatedString::formatted("INSERT INTO table_name VALUES ({}42);"sv, subquery)).is_error());
EXPECT(parse(DeprecatedString::formatted("INSERT INTO table_name VALUES ({}?);"sv, subquery)).is_error());
}
TEST_CASE(describe_table)
{
EXPECT(parse("DESCRIBE"sv).is_error());