Open jdrew1303 opened 6 years ago
Franchise already bundles sqlite-parser, and we were looking into bundling your sqltraverse library for some cool query builder stuff.
MySQL and Postgres have somewhat different syntax than SQLite, so it remains an open question what the tool should do if the parser fails.
Clearly the right way to do this isnât with a front end limitation. If the user shouldnât be able to write to the database then that account shouldnât have the privileges.
But Iâm all for making it so that the user has to be extra careful if the tool detects that a query might write to the database. Perhaps making the user have to check a box that proves theyâre aware of this.
Current behaviour:
DROP TABLE
,DELETE
, etc). They are also able to add data (INSERT
, etc).Expected behaviour:
Possible solutions:
Application fixes:
sqlite-parser
, walking the ast withsqltraverse
(yup it's a shameless plug đ ). That way you can check for subqueries that may cause issues and notify the user.Databases admin fixes: