RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 09:38:11 +00:00
Code Issues Activity Actions

LibSQL: Parse and execute sequential placeholder values

Browse source 
This partially implements SQLite's bind-parameter expression to support
indicating placeholder values in a SQL statement. For example:

    INSERT INTO table VALUES (42, ?);

In the above statement, the '?' identifier is a placeholder. This will
allow clients to compile statements a single time while running those
statements any number of times with different placeholder values.

Further, this will help mitigate SQL injection attacks.
This commit is contained in:
Timothy Flynn 2022-12-01 22:20:55 -05:00 committed by Andreas Kling
parent 53f8d62ea4
commit b2b9ae27fd
10 changed files with 154 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Userland/Libraries/LibSQL/AST/Parser.h
View file

@ -19,6 +19,7 @@ namespace Limits {
// https://www.sqlite.org/limits.html
constexpr size_t maximum_expression_tree_depth = 1000;
constexpr size_t maximum_subquery_depth = 100;
constexpr size_t maximum_bound_parameters = 1000;
}
class Parser {
@ -52,6 +53,7 @@ private:
Vector<Error> m_errors;
size_t m_current_expression_depth { 0 };
size_t m_current_subquery_depth { 0 };
size_t m_bound_parameters { 0 };
};
NonnullRefPtr<Statement> parse_statement();
@ -71,6 +73,7 @@ private:
NonnullRefPtr<Expression> parse_secondary_expression(NonnullRefPtr<Expression> primary);
bool match_secondary_expression() const;
RefPtr<Expression> parse_literal_value_expression();
RefPtr<Expression> parse_bind_parameter_expression();
RefPtr<Expression> parse_column_name_expression(DeprecatedString with_parsed_identifier = {}, bool with_parsed_period = false);
RefPtr<Expression> parse_unary_operator_expression();
RefPtr<Expression> parse_binary_operator_expression(NonnullRefPtr<Expression> lhs);