SQLite3::setAuthorizer

(PHP 8)

SQLite3::setAuthorizerConfigures a callback to be used as an authorizer to limit what a statement can do

Beschreibung

public SQLite3::setAuthorizer(?callable $callback): bool

Sets a callback that will be called by SQLite every time an action is performed (reading, deleting, updating, etc.). This is used when preparing a SQL statement from an untrusted source to ensure that the SQL statements do not try to access data they are not allowed to see, or that they do not try to execute malicious statements that damage the database. For example, an application may allow a user to enter arbitrary SQL queries for evaluation by a database. But the application does not want the user to be able to make arbitrary changes to the database. An authorizer could then be put in place while the user-entered SQL is being prepared that disallows everything except SELECT statements.

The authorizer callback may be called multiple times for each statement prepared by SQLite. A SELECT or UPDATE query will call the authorizer for every column that would be read or updated.

The authorizer is called with up to five parameters. The first parameter is always given, and is an int (action code) matching a constant from SQLite3. The other parameters are only passed for some actions. The following table describes the second and third parameters according to the action:

List of action codes and parameters
Action Second parameter Third parameter
SQLite3::CREATE_INDEXIndex NameTable Name
SQLite3::CREATE_TABLETable Namenull
SQLite3::CREATE_TEMP_INDEXIndex NameTable Name
SQLite3::CREATE_TEMP_TABLETable Namenull
SQLite3::CREATE_TEMP_TRIGGERTrigger NameTable Name
SQLite3::CREATE_TEMP_VIEWView Namenull
SQLite3::CREATE_TRIGGERTrigger NameTable Name
SQLite3::CREATE_VIEWView Namenull
SQLite3::DELETETable Namenull
SQLite3::DROP_INDEXIndex NameTable Name
SQLite3::DROP_TABLETable Namenull
SQLite3::DROP_TEMP_INDEXIndex NameTable Name
SQLite3::DROP_TEMP_TABLETable Namenull
SQLite3::DROP_TEMP_TRIGGERTrigger NameTable Name
SQLite3::DROP_TEMP_VIEWView Namenull
SQLite3::DROP_TRIGGERTrigger NameTable Name
SQLite3::DROP_VIEWView Namenull
SQLite3::INSERTTable Namenull
SQLite3::PRAGMAPragma NameFirst argument passed to the pragma, or null
SQLite3::READTable NameColumn Name
SQLite3::SELECTnullnull
SQLite3::TRANSACTIONOperationnull
SQLite3::UPDATETable NameColumn Name
SQLite3::ATTACHFilenamenull
SQLite3::DETACHDatabase Namenull
SQLite3::ALTER_TABLEDatabase NameTable Name
SQLite3::REINDEXIndex Namenull
SQLite3::ANALYZETable Namenull
SQLite3::CREATE_VTABLETable NameModule Name
SQLite3::DROP_VTABLETable NameModule Name
SQLite3::FUNCTIONnullFunction Name
SQLite3::SAVEPOINTOperationSavepoint Name
SQLite3::RECURSIVEnullnull

The 4th parameter will be the name of the database ("main", "temp", etc.) if applicable.

The 5th parameter to the authorizer callback is the name of the inner-most trigger or view that is responsible for the access attempt or null if this access attempt is directly from top-level SQL code.

When the callback returns SQLite3::OK, that means the operation requested is accepted. When the callback returns SQLite3::DENY, the call that triggered the authorizer will fail with an error message explaining that access is denied.

If the action code is SQLite3::READ and the callback returns SQLite3::IGNORE then the prepared statement is constructed to substitute a null value in place of the table column that would have been read if SQLite3::OK had been returned. The SQLite3::IGNORE return can be used to deny an untrusted user access to individual columns of a table.

When a table is referenced by a SELECT but no column values are extracted from that table (for example in a query like "SELECT count(*) FROM table") then the SQLite3::READ authorizer callback is invoked once for that table with a column name that is an empty string.

If the action code is SQLite3::DELETE and the callback returns SQLite3::IGNORE then the DELETE operation proceeds but the truncate optimization is disabled and all rows are deleted individually.

Only a single authorizer can be in place on a database connection at a time. Each call to SQLite3::setAuthorizer() overrides the previous call. Disable the authorizer by installing a null callback. The authorizer is disabled by default.

The authorizer callback must not do anything that will modify the database connection that invoked the authorizer callback.

Note that the authorizer is only called when a statement is prepared, not when it's executed.

More details can be found in the » SQLite3 documentation.

Parameter-Liste

callback

The callable to be called.

If null is passed instead, this will disable the current authorizer callback.

Rückgabewerte

Gibt bei Erfolg true zurück. Bei einem Fehler wird false zurückgegeben.

Fehler/Exceptions

This method doesn't throw any error, but if an authorizer is enabled and returns an invalid value, the statement preparation will throw an error (or exception, depending on the use of the SQLite3::enableExceptions() method).

Beispiele

Beispiel #1 SQLite3::setAuthorizer() example

This only allows access to reading, and only some columns of the users table will be returned. Other columns will be replaced with null.

<?php
$db 
= new SQLite3('data.sqlite');
$db->exec('CREATE TABLE users (id, name, password);');
$db->exec('INSERT INTO users VALUES (1, \'Pauline\', \'Snails4eva\');');

$allowed_columns = ['id''name'];

$db->setAuthorizer(function (int $action, ...$args) use ($allowed_columns) {
    if (
$action === SQLite3::READ) {
        list(
$table$column) = $args;

        if (
$table === 'users' && in_array($column$allowed_columns) {
            return 
SQLite3::OK;
        }

        return 
SQLite3::IGNORE;
    }

    return 
SQLite3::DENY;
});

print_r($db->querySingle('SELECT * FROM users WHERE id = 1;'));

Das oben gezeigte Beispiel erzeugt folgende Ausgabe:

Array
(
    [id] => 1
    [name] => Pauline
    [password] =>
)

Hier Kannst Du einen Kommentar verfassen


Bitte gib mindestens 10 Zeichen ein.
Wird geladen... Bitte warte.
* Pflichtangabe
Es sind noch keine Kommentare vorhanden.

PHP cURL-Tutorial: Verwendung von cURL zum Durchführen von HTTP-Anfragen

cURL ist eine leistungsstarke PHP-Erweiterung, die es Ihnen ermöglicht, mit verschiedenen Servern über verschiedene Protokolle wie HTTP, HTTPS, FTP und mehr zu kommunizieren. ...

TheMax

Autor : TheMax
Kategorie: PHP-Tutorials

Midjourney Tutorial - Anleitung für Anfänger

Über Midjourney, dem Tool zur Erstellung digitaler Bilder mithilfe von künstlicher Intelligenz, gibt es ein informatives Video mit dem Titel "Midjourney Tutorial auf Deutsch - Anleitung für Anfänger" ...

Mike94

Autor : Mike94
Kategorie: KI Tutorials

Grundlagen von Views in MySQL

Views in einer MySQL-Datenbank bieten die Möglichkeit, eine virtuelle Tabelle basierend auf dem Ergebnis einer SQL-Abfrage zu erstellen. ...

admin

Autor : admin
Kategorie: mySQL-Tutorials

Tutorial veröffentlichen

Tutorial veröffentlichen

Teile Dein Wissen mit anderen Entwicklern weltweit

Du bist Profi in deinem Bereich und möchtest dein Wissen teilen, dann melde dich jetzt an und teile es mit unserer PHP-Community

mehr erfahren

Tutorial veröffentlichen

Notizen-App: was ist eure - ich komm immer wieder auf Keep zurück...

Hallo liebe Community, guten Abend, Notizen-App: was ist eure - ich komm immer wieder auf Keep zurück... was ist eure beste NoteTaking App!? i ...

Geschrieben von dhubs am 22.12.2024 23:05:11
Forum: Off-Topic Diskussionen
How to overcome Safari's iframe cookie block?

To overcome Safari's iframe cookie block, you can use the SameSite=None; Secure cookie attribute in conjunction with a third-party domain that sup ...

Geschrieben von Joniemartinez am 21.12.2024 13:28:24
Forum: HTML, JavaScript, AJAX, jQuery, CSS, Bootstrap, LESS
Probleme mit speichern in Datenbank in französisch

Les erreurs fréquentes lors de l'enregistrement de données dans une base de données incluent des problèmes de connexion, des erreurs de syntax ...

Geschrieben von Alice12 am 18.12.2024 05:07:21
Forum: PHP Developer Forum
Gibt es eine API zum Abrufen von PHP-Code-Referenzen?

PHP.net bietet eine umfassende Online-Dokumentation für PHP. Es gibt keine offizielle API zum Abrufen von PHP-Dokumentationen direkt, aber du kan ...

Geschrieben von Alice12 am 18.12.2024 05:03:27
Forum: PHP Developer Forum