In the sqlite3_limit() interface, take out the feature where zero means

use the hard upper bound.  If an application wants the hard upper bound,
it can set the limit to 0x7fffffff and the bound will be automatically
truncated. (CVS 4900)

FossilOrigin-Name: d6be1f495ec57158f7bcca3e32145a9a8fde723a

2 files changed, 29 insertions, 23 deletions

diff --git a/src/main.c b/src/main.c
index c472ba320..140e64a62 100644
--- a/src/main.c
+++ b/src/main.c
@@ -14,7 +14,7 @@
 ** other files are for internal use by SQLite and should not be
 ** accessed by users of the library.
 **
-** $Id: main.c,v 1.427 2008/03/20 16:30:18 drh Exp $
+** $Id: main.c,v 1.428 2008/03/20 18:00:49 drh Exp $
 */
 #include "sqliteInt.h"
 #include <ctype.h>
@@ -1001,9 +1001,7 @@ int sqlite3_limit(sqlite3 *db, int limitId, int newLimit){
   }
   oldLimit = db->aLimit[limitId];
   if( newLimit>=0 ){
-    if( newLimit==0 ){
-      newLimit = aHardLimit[limitId];
-    }else if( aHardLimit[limitId]>0 && newLimit>aHardLimit[limitId] ){
+    if( newLimit>aHardLimit[limitId] ){
       newLimit = aHardLimit[limitId];
     }
     db->aLimit[limitId] = newLimit;
diff --git a/src/sqlite.h.in b/src/sqlite.h.in
index 6032cf8e5..158c6e1e3 100644
--- a/src/sqlite.h.in
+++ b/src/sqlite.h.in
@@ -30,7 +30,7 @@
 ** the version number) and changes its name to "sqlite3.h" as
 ** part of the build process.
 **
-** @(#) $Id: sqlite.h.in,v 1.297 2008/03/20 16:30:18 drh Exp $
+** @(#) $Id: sqlite.h.in,v 1.298 2008/03/20 18:00:49 drh Exp $
 */
 #ifndef _SQLITE3_H_
 #define _SQLITE3_H_
@@ -1619,14 +1619,14 @@ void sqlite3_randomness(int N, void *P);
 ** CAPI3REF: Compile-Time Authorization Callbacks {F12500}
 **
 ** This routine registers a authorizer callback with a particular
-** database connection, supplied in the first argument.
+** [database connection], supplied in the first argument.
 ** The authorizer callback is invoked as SQL statements are being compiled
 ** by [sqlite3_prepare()] or its variants [sqlite3_prepare_v2()],
 ** [sqlite3_prepare16()] and [sqlite3_prepare16_v2()].  At various
 ** points during the compilation process, as logic is being created
 ** to perform various actions, the authorizer callback is invoked to
 ** see if those actions are allowed.  The authorizer callback should
-** return SQLITE_OK to allow the action, [SQLITE_IGNORE] to disallow the
+** return [SQLITE_OK] to allow the action, [SQLITE_IGNORE] to disallow the
 ** specific action but allow the SQL statement to continue to be
 ** compiled, or [SQLITE_DENY] to cause the entire SQL statement to be
 ** rejected with an error.   If the authorizer callback returns
@@ -1639,9 +1639,9 @@ void sqlite3_randomness(int N, void *P);
 ** [sqlite3_prepare_v2()] or equivalent call that triggered the
 ** authorizer will fail with an error message explaining that
 ** access is denied.  If the authorizer code is [SQLITE_READ]
-** and the callback returns [SQLITE_IGNORE] then the prepared
-** statement is constructed to insert a NULL value in place of
-** the table column that would have
+** and the callback returns [SQLITE_IGNORE] then the
+** [prepared statement] statement is constructed to substitute
+** a NULL value in place of the table column that would have
 ** been read if [SQLITE_OK] had been returned.  The [SQLITE_IGNORE]
 ** return can be used to deny an untrusted user access to individual
 ** columns of a table.
@@ -1654,7 +1654,8 @@ void sqlite3_randomness(int N, void *P);
 ** parameters to the callback are zero-terminated strings that contain 
 ** additional details about the action to be authorized.
 **
-** An authorizer is used when preparing SQL statements from an untrusted
+** An authorizer is used when [sqlite3_prepare | preparing]
+** SQL statements from an untrusted
 ** source, to ensure that the SQL statements do not try to access data
 ** that they are not allowed to see, or that they do not try to
 ** execute malicious statements that damage the database.  For
@@ -1662,8 +1663,13 @@ void sqlite3_randomness(int N, void *P);
 ** SQL queries for evaluation by a database.  But the application does
 ** not want the user to be able to make arbitrary changes to the
 ** database.  An authorizer could then be put in place while the
-** user-entered SQL is being prepared that disallows everything
-** except SELECT statements.  
+** user-entered SQL is being [sqlite3_prepare | prepared] that
+** disallows everything except [SELECT] statements.
+**
+** Applications that need to process SQL from untrusted sources
+** might also consider lowering resource limits using [sqlite3_limit()]
+** and limiting database size using the [max_page_count] [PRAGMA]
+** in addition to using an authorizer.
 **
 ** Only a single authorizer can be in place on a database connection
 ** at a time.  Each call to sqlite3_set_authorizer overrides the
@@ -2166,35 +2172,37 @@ typedef struct sqlite3_stmt sqlite3_stmt;
 ** new limit for that construct.  The function returns the old limit.
 **
 ** If the new limit is a negative number, the limit is unchanged.
-** If the new limit is zero, the construct becomes unlimited.  Actually,
-** there is a hard upper bound on the size of all constructs that
-** is determined at compile-time.  For the limit category of 
-** SQLITE_LIMIT_XYZ the hard upper bound is the compile-time
-** constant SQLITE_MAX_XYZ.  Attempts to increase a limit above its
-** hard upper bound are silently truncated.
+** For the limit category of SQLITE_LIMIT_XYZ there is a hard upper
+** bound set by a compile-time C-preprocess macro named SQLITE_MAX_XYZ.
+** (The "_LIMIT_" in the name is changed to "_MAX_".)
+** Attempts to increase a limit above its hard upper bound are
+** silently truncated to the hard upper limit.
 **
 ** Run time limits are intended for use in applications that manage
 ** both their own internal database and also databases that are controlled
 ** by untrusted external sources.  An example application might be a
 ** webbrowser that has its own databases for storing history and
 ** separate databases controlled by javascript applications downloaded
-** of the internet.  The internal databases can be given the
+** off the internet.  The internal databases can be given the
 ** large, default limits.  Databases managed by external sources can
 ** be given much smaller limits designed to prevent a denial of service
-** attach.
+** attach.  Developers might also want to use the [sqlite3_set_authorizer()]
+** interface to further control untrusted SQL.  The size of the database
+** created by an untrusted script can be contained using the
+** [max_page_count] [PRAGMA].
 **
 ** This interface is currently considered experimental and is subject
 ** to change or removal without prior notice.
 **
 ** INVARIANTS:
 **
-** {F12763} A successful call to [sqlite3_limit(D,C,V)] where V is
+** {F12762} A successful call to [sqlite3_limit(D,C,V)] where V is
 **          positive changes the
 **          limit on the size of construct C in [database connection] D
 **          to the lessor of V and the hard upper bound on the size
 **          of C that is set at compile-time.
 **
-** {F12763} A successful call to [sqlite3_limit(D,C,V)] where V is zero
+** {F12764} A successful call to [sqlite3_limit(D,C,V)] where V is zero
 **          changes the limit on the size of construct C in
 **          [database connection] D to be the hard upper bound on the size
 **          of C that is set at compile-time.