Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Statement may not contain PRAGMA" error is not strictly true #1185

Closed
simonw opened this issue Jan 12, 2021 · 3 comments
Closed

"Statement may not contain PRAGMA" error is not strictly true #1185

simonw opened this issue Jan 12, 2021 · 3 comments
Labels
bug minor Minor bugs (not high priority) usability

Comments

@simonw
Copy link
Owner

simonw commented Jan 12, 2021

Consider https://latest.datasette.io/fixtures?sql=select+%27select%0D%0A%27+%7C%7C+group_concat%28%27++++case+when+%5B%27+%7C%7C+name+%7C%7C+%27%5D+is+not+null+then+%27+%7C%7C+quote%28name+%7C%7C+%27%2C+%27%29+%7C%7C+%27+else+%27%27%27%27+end%27%2C+%27+%7C%7C%0D%0A%27%29+%7C%7C+%27%0D%0A++as+columns%2C%0D%0A++count%28*%29+as+num_rows%0D%0Afrom%0D%0A++%5B%27+%7C%7C+%3Atable+%7C%7C+%27%5D%0D%0Agroup+by%0D%0A++columns%0D%0Aorder+by%0D%0A++num_rows+desc%27+as+query+from+pragma_ytable_info%28%3Atable%29&table=facetable

It says "Statement may not contain PRAGMA" - but that's not actually true. Datasette has an allow-list of PRAGMA that are OK - in this case there was a typo in pragma_ytable_info which caused the error, but pragma_table_info` would have been OK.

So the error message is misleading.

@simonw simonw added bug minor Minor bugs (not high priority) usability labels Jan 12, 2021
@simonw
Copy link
Owner Author

simonw commented Jan 12, 2021

https://docs.datasette.io/en/stable/sql_queries.html?highlight=pragma#named-parameters documentation is out-of-date as well:

Datasette disallows custom SQL containing the string PRAGMA, as SQLite pragma statements can be used to change database settings at runtime. If you need to include the string "pragma" in a query you can do so safely using a named parameter.

@simonw
Copy link
Owner Author

simonw commented Jan 12, 2021

That allow-list was added in #761 but is not currently documented. It's here in the code:

allowed_pragmas = (
"database_list",
"foreign_key_list",
"function_list",
"index_info",
"index_list",
"index_xinfo",
"page_count",
"max_page_count",
"page_size",
"schema_version",
"table_info",
"table_xinfo",
)

@simonw
Copy link
Owner Author

simonw commented Jan 12, 2021

I'm going to change the error message to list the allowed pragmas.

@simonw simonw closed this as completed in 640ac70 Jan 12, 2021
simonw added a commit that referenced this issue Jan 19, 2021
@simonw simonw added this to the Datasette 0.54 milestone Jan 24, 2021
This was referenced Jan 25, 2021
simonw added a commit that referenced this issue Jan 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug minor Minor bugs (not high priority) usability
Projects
None yet
Development

No branches or pull requests

1 participant