如何限制sqlite仅执行SELECT语句,而不执行INSERT,UPDATE
[英]How to restrict sqlite only to execute SELECT statements, and not INSERT, UPDATE
问题描述
I have a reports page where you can enter the query manually for a report. 
我有一个报告页面,您可以在其中手动输入查询的报告。 How can I block any INSERT, UPDATE or DELETE statements, and only run SELECT? 如何阻止任何INSERT,UPDATE或DELETE语句,仅运行SELECT?
using (var connection = new SQLiteConnection(connectionString))
{
var da = new SQLiteDataAdapter
{
SelectCommand = new SQLiteCommand(query, connection)
};
try
{
da.Fill(table);
}
I could check if the query string contains "INSERT", "UPDATE" or "DELETE", but I don't think it's a good practice. 我可以检查查询字符串是否包含“ INSERT”,“ UPDATE”或“ DELETE”,但我认为这不是一个好习惯。
5 个解决方案
解决方案1
1 2011-01-18 14:29:48
Checking the query string is not good practice? 检查查询字符串不是一个好习惯吗? Compared to what? 比起什么? Allowing a user to enter any SQL statement they want to in your report page? 允许用户在报告页面中输入他们想要的任何SQL语句? I can't think of a much worse practice than that. 我认为没有比这更糟糕的做法了。 If you're going to allow that sort of thing, you absolutely need to somehow restrict the types of statements they enter, and maybe require a Where clause (to avoid millions of rows being returned) etc. 如果要允许这种事情,则绝对需要以某种方式限制它们输入的语句的类型,并且可能需要Where子句(以避免返回数百万行)等。
解决方案2
1 2011-01-18 14:47:45
in fact did you check what happens when you try to fill the table with the data adapter having anything else than a select in the query variable? 实际上,您是否在尝试使用数据适配器(查询变量中的select项除外)填充表时发生了什么情况? I doubt you get an empty table or dataset, I would expect an exception in which case you could rollback the transaction. 我怀疑您会得到一个空的表或数据集,在这种情况下,您可能会回滚该事务,因此会出现异常。
I would anyway try to create the connection as readonly as suggested above by Sorax and I would actually parse the query variable as well. 无论如何,我都会尝试将连接创建为Sorax上面建议的只读状态,并且实际上我也会解析查询变量。
解决方案3
1 已采纳 2011-01-18 15:15:19
解决方案4
0 2011-01-18 14:59:39
Since the SQlite database is just one file, my guess is that you can make the database readonly through the filesystem. 由于SQlite数据库只是一个文件,因此我猜测您可以通过文件系统将数据库设置为只读。 This is of course not a fancy solution but is one that does not require any code (of course except when you're throwing exceptions when writing isn't possible). 这当然不是一个很好的解决方案,但是它不需要任何代码(当然,除非您在无法编写时抛出异常)。
解决方案5
0 2011-01-18 15:37:48
A) Use a read-only connection - I think that would be almost the best solution A)使用只读连接-我认为这几乎是最好的解决方案
B) Use more than one TextBox as Input (but this would become more a solution like checking the String for Insert etc.) B)使用多个TextBox作为输入(但这将成为更多的解决方案,例如检查用于插入的String等)
For Example 例如
Select | 选择| _ ___ | _ ___ | From | 来自| __ _ __ _ ___ | __ _ __ _ ___ | Where | 哪里 __ _ __ _ _ | __ _ __ _ _ |
Edit: to answer your comment just have a look at http://www.sqlite.org/c3ref/open.html especially the topic "SQLITE_OPEN_READONLY" - I haven't done anything with sqlite now, but I think that should do the trick... 编辑:要回答您的评论,只需看看http://www.sqlite.org/c3ref/open.html,尤其是主题“ SQLITE_OPEN_READONLY”-我现在还没有对sqlite做任何事情,但是我认为应该这样做特技...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.