Check SQL query passed to execute

When `extra_check` feature is activated: Fail when query has a column count > 0 Or when query is readonly.
2024-11-22 05:50:35 +08:00 · 2019-08-26 20:21:23 +02:00 · 2019-08-26 20:21:23 +02:00 · 00d50199a2
commit 00d50199a2
parent 835b69fcb7
5 changed files with 34 additions and 5 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -28,7 +28,7 @@ script:
  - cargo build --features sqlcipher
  - cargo build --features "bundled sqlcipher"
  - cargo test
-  - cargo test --features "backup blob"
+  - cargo test --features "backup blob extra_check"
  - cargo test --features "collation functions"
  - cargo test --features "hooks limits"
  - cargo test --features load_extension
--- a/Cargo.toml
+++ b/Cargo.toml
@ -48,12 +48,13 @@ csvtab = ["csv", "vtab"]
 # pointer passing interfaces: 3.20.0
 array = ["vtab"]
 # session extension: 3.13.0
-session = ["libsqlite3-sys/session", "hooks"]
+#session = ["libsqlite3-sys/session", "hooks"]
 # window functions: 3.25.0
 window = ["functions"]
 # 3.9.0
 series = ["vtab"]
-
+# check for invalid query.
+extra_check = []

 [dependencies]
 time = "0.1.0"
--- a/src/collation.rs
+++ b/src/collation.rs
@ -125,7 +125,9 @@ impl InnerConnection {
                    str::from_utf8_unchecked(c_slice)
                };
                callback(&conn, collation_name)
-            }).is_err() {
+            })
+            .is_err()
+            {
                return; // FIXME How ?
            }
        }
--- a/src/lib.rs
+++ b/src/lib.rs
@ -890,7 +890,8 @@ mod test {
            )
            .expect("create temp db");

-        let mut db1 = Connection::open_with_flags(&path, OpenFlags::SQLITE_OPEN_READ_WRITE).unwrap();
+        let mut db1 =
+            Connection::open_with_flags(&path, OpenFlags::SQLITE_OPEN_READ_WRITE).unwrap();
        let mut db2 = Connection::open_with_flags(&path, OpenFlags::SQLITE_OPEN_READ_ONLY).unwrap();

        db1.busy_timeout(Duration::from_millis(0)).unwrap();
--- a/src/statement.rs
+++ b/src/statement.rs
@ -511,6 +511,7 @@ impl Statement<'_> {
    }

    fn execute_with_bound_parameters(&mut self) -> Result<usize> {
+        self.check_update()?;
        let r = self.stmt.step();
        self.stmt.reset();
        match r {
@ -547,6 +548,30 @@ impl Statement<'_> {
        Ok(())
    }

+    #[cfg(all(feature = "bundled", feature = "extra_check"))]
+    #[inline]
+    fn check_update(&self) -> Result<()> {
+        if self.column_count() > 0 || self.stmt.readonly() {
+            return Err(Error::ExecuteReturnedResults);
+        }
+        Ok(())
+    }
+
+    #[cfg(all(not(feature = "bundled"), feature = "extra_check"))]
+    #[inline]
+    fn check_update(&self) -> Result<()> {
+        if self.column_count() > 0 {
+            return Err(Error::ExecuteReturnedResults);
+        }
+        Ok(())
+    }
+
+    #[cfg(not(feature = "extra_check"))]
+    #[inline]
+    fn check_update(&self) -> Result<()> {
+        Ok(())
+    }
+
    /// Returns a string containing the SQL text of prepared statement with
    /// bound parameters expanded.
    #[cfg(feature = "bundled")]