|Title:||ATTACH authorization fails when database name is not a literal|
|Last Modified:||2011-02-04 00:53:22|
|Version Found In:||3.7.5|
The authorizer (http://www.sqlite.org/c3ref/set_authorizer.html) is called
to validate every ATTACH command. The third parameter to the authorizer
callback should be the name of the database file that is to be attached.
But if the database name is specified as a parameter:
ATTACH $dbname AS newdb;
Then the name of the parameter is sent as the 3rd parameter, not the name of the file. Or, if the database name is an arbitrary expression, the 3rd parameter is undefined.
The probable fix is to document that whenever anything other than a string literal is used in an ATTACH statement that the 3rd argument to authorizer callback is NULL. In other words, a NULL filename to the SQLITE_ATTACH authorizer signifies that the filename is unknown at compile-time.
The code needs to be changed to implement the above, and the documentation needs to be changed to explain that this is how it works.