The new code is now live at https://latest.datasette.io/fixtures

I think mine has a better pattern for handling /* ... anything in here that isn't */ ... */

Here's yours on Debuggex: https://www.debuggex.com/r/HjdJryTy9ezGsuWK

Hah, I just came up with this one - we were clearly working on this at the same time!

^\s*((?:\-\-.*?\n\s*)|(?:\/\*((?!\*\/)[\s\S])*\*\/)\s*)*\s*select\b

https://www.debuggex.com/r/Rbw-UWD9PdOU2GyO

Here is my suggestion:

^\s*((?:\-\-.*?\n\s*)|(?:/\*.*?(?=\*/)\*/\s*))*select\b

See the following test: https://regex101.com/r/Doeqqa/1

And here I played all your tests: https://regexr.com/713ir

Sorry I forgot the -- comments like that.

I'm afraid there is an issue in your regexp, see: https://regex101.com/r/pyubJf/1

I guess I can fix it.

That's deployed to https://latest.datasette.io/ now - some examples:

• https://latest.datasette.io/fixtures?sql=--+one+kind+of+comment%0D%0Aselect+*+from+searchable
• https://latest.datasette.io/fixtures?sql=%2F+Multi%0D%0A++line+comment+%2F%0D%0Aselect+*+from+searchable
• https://latest.datasette.io/fixtures?sql=%2F+Both+kinds+%2F%0D%0A--+of+comment%0D%0A%2F+and+more+%2F%0D%0A--+and+more+and+more%0D%0Aselect+*+from+searchable

I'm never 100% sure how to tell if a regular expression includes a nasty denial of service attack - are there any inputs that could cause this new regex to execute in quadratic time or similar?

Here are the new tests - each of these should now work: https://github.com/simonw/datasette/blob/55a709c480a1e7401b4ff6208f37a2cf7c682183/tests/test_utils.py#L170-L175

I'm experimenting with this: ```python

Allow SQL to start with a / / or -- comment

comment_re = ( # Start of string, then any amount of whitespace r'^(\s' + # Comment that starts with -- and ends at a newline r'(?:--.?\n\s)' + # Comment that starts with / and ends with / r'|(?:/*[\s\S]?*/)' + # Whitespace r')\s' )

allowed_sql_res = [ re.compile(comment_re + r"select\b"), re.compile(comment_re + r"explain\s+select\b"), re.compile(comment_re + r"explain\s+query\s+plan\s+select\b"), re.compile(comment_re + r"with\b"), re.compile(comment_re + r"explain\s+with\b"), re.compile(comment_re + r"explain\s+query\s+plan\s+with\b"), ] ``` This should allow any number of comments of either type as a suffix to the allowed SQL patterns.

Needs extensive unit tests!

I'm not massively worried if it has a flaw in it though, since this is part of Datasette's defense in depth: if a non-SELECT query sneaks through it still shouldn't be able to cause any damage as the database connection is read-only or immutable.

Yeah we should fix this.

https://www.sqlite.org/lang_comment.html - SQLite also supports -- style comments.

I like how explicit the documentation is here:

SQL comments begin with two consecutive "-" characters (ASCII 0x2d) and extend up to and including the next newline character (ASCII 0x0a) or until the end of input, whichever comes first.

C-style comments begin with "/" and extend up to and including the next "/" character pair or until the end of input, whichever comes first. C-style comments can span multiple lines.

I guess the issue is here: https://github.com/simonw/datasette/blob/9676b2deb07cff20247ba91dad3e84a4ab0b00d1/datasette/utils/init.py#L209

Here is a working regexp allowing it: diff - re.compile(r"^select\b"), + re.compile(r"^\s*(/\*.+?(?=\*/)\*/\s*)*select"), ^\s*: beginning by 0 or an infinite number of \s (spaces, tabs, newlines...) (/\*.+?(?=\*/)\*/\s*)*: 0 or an infinite number of chars beginning by /* and ending to the next occurrence of */ followed by 0 or an infinite number of \s

You can play with the regexp here: https://regex101.com/r/aESXDL/3