html_url,issue_url,id,node_id,user,user_label,created_at,updated_at,author_association,body,reactions,issue,issue_label,performed_via_github_app
https://github.com/simonw/datasette/issues/1860#issuecomment-1292685478,https://api.github.com/repos/simonw/datasette/issues/1860,1292685478,IC_kwDOBm6k_c5NDNCm,9599,simonw,2022-10-26T21:42:35Z,2022-10-26T21:42:35Z,OWNER,"That's deployed to https://latest.datasette.io/ now - some examples:

- https://latest.datasette.io/fixtures?sql=--+one+kind+of+comment%0D%0Aselect+*+from+searchable
- https://latest.datasette.io/fixtures?sql=%2F*+Multi%0D%0A++line+comment+*%2F%0D%0Aselect+*+from+searchable
- https://latest.datasette.io/fixtures?sql=%2F*+Both+kinds+*%2F%0D%0A--+of+comment%0D%0A%2F*+and+more+*%2F%0D%0A--+and+more+and+more%0D%0Aselect+*+from+searchable","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1424378012,SQL query field can't begin by a comment,
https://github.com/simonw/datasette/issues/1860#issuecomment-1292679567,https://api.github.com/repos/simonw/datasette/issues/1860,1292679567,IC_kwDOBm6k_c5NDLmP,9599,simonw,2022-10-26T21:36:25Z,2022-10-26T21:36:25Z,OWNER,I'm never 100% sure how to tell if a regular expression includes a nasty denial of service attack - are there any inputs that could cause this new regex to execute in quadratic time or similar?,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1424378012,SQL query field can't begin by a comment,
https://github.com/simonw/datasette/issues/1860#issuecomment-1292678657,https://api.github.com/repos/simonw/datasette/issues/1860,1292678657,IC_kwDOBm6k_c5NDLYB,9599,simonw,2022-10-26T21:35:23Z,2022-10-26T21:35:37Z,OWNER,Here are the new tests - each of these should now work: https://github.com/simonw/datasette/blob/55a709c480a1e7401b4ff6208f37a2cf7c682183/tests/test_utils.py#L170-L175,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1424378012,SQL query field can't begin by a comment,
https://github.com/simonw/datasette/issues/1860#issuecomment-1292674919,https://api.github.com/repos/simonw/datasette/issues/1860,1292674919,IC_kwDOBm6k_c5NDKdn,9599,simonw,2022-10-26T21:31:22Z,2022-10-26T21:31:22Z,OWNER,"I'm experimenting with this:
```python
# Allow SQL to start with a /* */ or -- comment
comment_re = (
    # Start of string, then any amount of whitespace
    r'^(\s*' +
    # Comment that starts with -- and ends at a newline
    r'(?:\-\-.*?\n\s*)' +
    # Comment that starts with /* and ends with */
    r'|(?:/\*[\s\S]*?\*/)' + 
    # Whitespace
    r')*\s*'
)

allowed_sql_res = [
    re.compile(comment_re + r""select\b""),
    re.compile(comment_re + r""explain\s+select\b""),
    re.compile(comment_re + r""explain\s+query\s+plan\s+select\b""),
    re.compile(comment_re + r""with\b""),
    re.compile(comment_re + r""explain\s+with\b""),
    re.compile(comment_re + r""explain\s+query\s+plan\s+with\b""),
]
```
This should allow any number of comments of either type as a suffix to the allowed SQL patterns.

Needs extensive unit tests!

I'm not massively worried if it has a flaw in it though, since this is part of Datasette's defense in depth: if a non-SELECT query sneaks through it still shouldn't be able to cause any damage as the database connection is read-only or immutable.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1424378012,SQL query field can't begin by a comment,
https://github.com/simonw/datasette/issues/1860#issuecomment-1292659986,https://api.github.com/repos/simonw/datasette/issues/1860,1292659986,IC_kwDOBm6k_c5NDG0S,9599,simonw,2022-10-26T21:14:26Z,2022-10-26T21:15:22Z,OWNER,"Yeah we should fix this.

https://www.sqlite.org/lang_comment.html - SQLite also supports `-- style` comments.

I like how explicit the documentation is here:

> SQL comments begin with two consecutive ""-"" characters (ASCII 0x2d) and extend up to and including the next newline character (ASCII 0x0a) or until the end of input, whichever comes first.
> 
> C-style comments begin with ""/*"" and extend up to and including the next ""*/"" character pair or until the end of input, whichever comes first. C-style comments can span multiple lines. ","{""total_count"": 1, ""+1"": 1, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1424378012,SQL query field can't begin by a comment,
https://github.com/simonw/datasette/issues/1860#issuecomment-1292390996,https://api.github.com/repos/simonw/datasette/issues/1860,1292390996,IC_kwDOBm6k_c5NCFJU,562352,CharlesNepote,2022-10-26T17:43:41Z,2022-10-26T17:43:41Z,NONE,"I guess the issue is here: https://github.com/simonw/datasette/blob/9676b2deb07cff20247ba91dad3e84a4ab0b00d1/datasette/utils/__init__.py#L209

Here is a working regexp allowing it:
```diff
-    re.compile(r""^select\b""),
+    re.compile(r""^\s*(/\*.+?(?=\*/)\*/\s*)*select""),
```
`^\s*`: beginning by 0 or an infinite number of \s (spaces, tabs, newlines...)
`(/\*.+?(?=\*/)\*/\s*)*`: 0 or an infinite number of chars beginning by `/*` and ending to the next occurrence of `*/` followed by 0 or an infinite number of \s

You can play with the regexp here: https://regex101.com/r/aESXDL/3

","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1424378012,SQL query field can't begin by a comment,