The new code is now live at https://latest.datasette.io/fixtures

I think mine has a better pattern for handling /* ... anything in here that isn't */ ... */

Here's yours on Debuggex: https://www.debuggex.com/r/HjdJryTy9ezGsuWK

Hah, I just came up with this one - we were clearly working on this at the same time!

^\s*((?:\-\-.*?\n\s*)|(?:\/\*((?!\*\/)[\s\S])*\*\/)\s*)*\s*select\b

https://www.debuggex.com/r/Rbw-UWD9PdOU2GyO

That's deployed to https://latest.datasette.io/ now - some examples:

• https://latest.datasette.io/fixtures?sql=--+one+kind+of+comment%0D%0Aselect+*+from+searchable
• https://latest.datasette.io/fixtures?sql=%2F+Multi%0D%0A++line+comment+%2F%0D%0Aselect+*+from+searchable
• https://latest.datasette.io/fixtures?sql=%2F+Both+kinds+%2F%0D%0A--+of+comment%0D%0A%2F+and+more+%2F%0D%0A--+and+more+and+more%0D%0Aselect+*+from+searchable

I'm never 100% sure how to tell if a regular expression includes a nasty denial of service attack - are there any inputs that could cause this new regex to execute in quadratic time or similar?

Here are the new tests - each of these should now work: https://github.com/simonw/datasette/blob/55a709c480a1e7401b4ff6208f37a2cf7c682183/tests/test_utils.py#L170-L175

I'm experimenting with this: ```python

Allow SQL to start with a / / or -- comment

comment_re = ( # Start of string, then any amount of whitespace r'^(\s' + # Comment that starts with -- and ends at a newline r'(?:--.?\n\s)' + # Comment that starts with / and ends with / r'|(?:/*[\s\S]?*/)' + # Whitespace r')\s' )

allowed_sql_res = [ re.compile(comment_re + r"select\b"), re.compile(comment_re + r"explain\s+select\b"), re.compile(comment_re + r"explain\s+query\s+plan\s+select\b"), re.compile(comment_re + r"with\b"), re.compile(comment_re + r"explain\s+with\b"), re.compile(comment_re + r"explain\s+query\s+plan\s+with\b"), ] ``` This should allow any number of comments of either type as a suffix to the allowed SQL patterns.

Needs extensive unit tests!

I'm not massively worried if it has a flaw in it though, since this is part of Datasette's defense in depth: if a non-SELECT query sneaks through it still shouldn't be able to cause any damage as the database connection is read-only or immutable.

Yeah we should fix this.

https://www.sqlite.org/lang_comment.html - SQLite also supports -- style comments.

I like how explicit the documentation is here:

SQL comments begin with two consecutive "-" characters (ASCII 0x2d) and extend up to and including the next newline character (ASCII 0x0a) or until the end of input, whichever comes first.

C-style comments begin with "/" and extend up to and including the next "/" character pair or until the end of input, whichever comes first. C-style comments can span multiple lines.