Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Add SQLITE_DIRECTONLY to the change log and documentation. Fix a typo in changes to the index_info pragma. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
518f7b3bdd4b95e5d282baef2657996c |
User & Date: | drh 2019-09-16 14:49:18.877 |
Context
2019-09-26
| ||
15:24 | Adjustments to the document indexes. (check-in: ede6ba1df3 user: drh tags: trunk) | |
2019-09-16
| ||
14:49 | Add SQLITE_DIRECTONLY to the change log and documentation. Fix a typo in changes to the index_info pragma. (check-in: 518f7b3bdd user: drh tags: trunk) | |
14:09 | Remove documentation fixes from the release branch. (check-in: b10a80aacd user: drh tags: trunk) | |
Changes
Changes to pages/changes.in.
︙ | ︙ | |||
34 35 36 37 38 39 40 41 42 43 44 45 46 47 | it recovers more content from corrupt database files. <li> Enhance the [RBU] extension to support [indexes on expressions]. <li> Change the schema parser so that it will error out if any of the type, name, and tbl_name columns of the [sqlite_master table] have been corrupted and the database connection is not in [writable_schema] mode. <li> Add the [SQLITE_DBCONFIG_ENABLE_VIEW] option for [sqlite3_db_config()]. <li> The legacy [SQLITE_ENABLE_STAT3] compile-time option is now a no-op. } chng {2019-07-10 (3.29.0)} { <li> Added the [SQLITE_DBCONFIG_DQS_DML] and [SQLITE_DBCONFIG_DQS_DDL] actions to [sqlite3_db_config()] for activating and deactivating the [double-quoted string literal] misfeature. Both default to "on" | > > > | 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | it recovers more content from corrupt database files. <li> Enhance the [RBU] extension to support [indexes on expressions]. <li> Change the schema parser so that it will error out if any of the type, name, and tbl_name columns of the [sqlite_master table] have been corrupted and the database connection is not in [writable_schema] mode. <li> Add the [SQLITE_DBCONFIG_ENABLE_VIEW] option for [sqlite3_db_config()]. <li> Added the [SQLITE_DIRECTONLY] flag for [application-defined SQL functions] to prevent those functions from being used inside triggers and views. <li> The legacy [SQLITE_ENABLE_STAT3] compile-time option is now a no-op. } chng {2019-07-10 (3.29.0)} { <li> Added the [SQLITE_DBCONFIG_DQS_DML] and [SQLITE_DBCONFIG_DQS_DDL] actions to [sqlite3_db_config()] for activating and deactivating the [double-quoted string literal] misfeature. Both default to "on" |
︙ | ︙ |
Changes to pages/pragma.in.
︙ | ︙ | |||
1475 1476 1477 1478 1479 1480 1481 | <ol> <li>^(The rank of the column within the index. (0 means left-most.))^ <li>^The rank of the column within the table being indexed. <li>^The name of the column being indexed. </ol> <p>If there is no index named <i>index-name</i> but there is a | | | 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 | <ol> <li>^(The rank of the column within the index. (0 means left-most.))^ <li>^The rank of the column within the table being indexed. <li>^The name of the column being indexed. </ol> <p>If there is no index named <i>index-name</i> but there is a [WITHOUT ROWID] table with that name, then (as of SQLite [version 3.30.0] on [dateof:3.30.0]) this pragma returns the PRIMARY KEY columns of the WITHOUT ROWID table as they are used in the records of the underlying b-tree, which is to say with duplicate columns removed. } Pragma index_xinfo { |
︙ | ︙ | |||
1509 1510 1511 1512 1513 1514 1515 | <li>^The name for the [collating sequence] used to compare values in the index-column. <li>^1 if the index-column is a key column and 0 if the index-column is an auxiliary column. </ol> <p>If there is no index named <i>index-name</i> but there is a | | | 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 | <li>^The name for the [collating sequence] used to compare values in the index-column. <li>^1 if the index-column is a key column and 0 if the index-column is an auxiliary column. </ol> <p>If there is no index named <i>index-name</i> but there is a [WITHOUT ROWID] table with that name, then (as of SQLite [version 3.30.0] on [dateof:3.30.0]) this pragma returns the columns of the WITHOUT ROWID table as they are used in the records of the underlying b-tree, which is to say with de-duplicated PRIMARY KEY columns first followed by data columns. } Pragma index_list { |
︙ | ︙ |
Changes to pages/security.in.
︙ | ︙ | |||
132 133 134 135 136 137 138 139 140 | If the application does use triggers or views, then use queries to scan the [sqlite_master] table to verify that the triggers and views found there are expected, that there are no surplus triggers or views, existing triggers and views have not been tampered with, and that no existing ordinary tables have been replaced by malicious views. </p> </ol> </ol> | > > > > > > > > > > > > < | 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 | If the application does use triggers or views, then use queries to scan the [sqlite_master] table to verify that the triggers and views found there are expected, that there are no surplus triggers or views, existing triggers and views have not been tampered with, and that no existing ordinary tables have been replaced by malicious views. </p> <li><p> If the application uses [application-defined SQL functions] that have side effects, then it is recommended to set the [SQLITE_DIRECTONLY] flag on those SQL functions to prevent them from being used inside triggers and views. To illustrate the importants of this flag, consider an application that implements an SQL function "send_money(...)". Without the SQLITE_DIRECTONLY flag, an attacker might be able to add a trigger or view that uses that custom function, then trick a high-privilege application to run an otherwise harmless query that invokes that malicious trigger or view. The SQLITE_DIRECTONLY flag prevents the attack by requiring the "send_money()" function to be invoked directly by the application, rather than indirectly through a trigger or view. </ol> </ol> <p>Even if the application does not deliberately accept database files from untrusted sources, beware of attacks in which a local database file is surreptitiously altered to contain harmful content. <h1>Summary</h1> |
︙ | ︙ |