Beyond unauthorized data access, what security considerations should I have regarding a user-facing language based on SQL SELECT statements?

I’m considering making a new language based on SQL SELECT statements to allow users to export CSV data in the manner they please. I’m confident in being able to interface this with a permissions system by inspecting the resulting AST from parsing before turning it into a SELECT statement to execute, so I’m not really concerned about this leading to unauthorized data access.

This language would be pretty much a 1-to-1 mapping of SQL SELECT statements, except for a few changes regarding joins and a few other things.

Users are relatively few and can be easily traced and contacted. It’s not the public at large.

The underlying DB would be MariaDB.

What should I be concerned about from this idea? If it’s a bad idea, why?

I thought about the possibility of making a query that doesn’t terminate by using WITH RECURSIVE, so I’m not going to support that syntax, and I made the following question at the DBA SE to see what other ways a SELECT statement could be non-terminating (I thought of a few more while writing that question):

What are all the ways that a SELECT statement could be made to not terminate or take a very long time?

Besides that, is there anything more? Any particular risk? Is it possible to make some type of resource bomb with it, to consume all memory for example?

Access to this language could be put under a permission so only very privileged users could use it, but I wonder if that’s needed.

Checking if two statements can be reached in one control flow

Assume I have a graph representing the control flow and the call graph of a given program. I also have a first and a second statement. I now want to figure out if it is possible to execute both statements (in order) within the same program execution.

Control Flow Graph: I have a graph with all the statements of the program and edges connecting the statements determining the control flow of the program intra function (i.e., within a function).

Call Graph: I also have edges connecting any function call with the start of the function control flow of the called function.

The literature I found concerning control flow covers only intra function flow analysis and the only correct approach I can come up with is a depth first (or breadth first) search starting from the first statement. This, however, hardly feels correct as it is quite cumbersome and I would expect a better solution.

I’ve been asked to change this statements into predicate form by using standard form but I’m stuck

I studied Artificial intelligence a long time ago and I’ve had no interest in it. I studied Artificial intelligence a long time ago and I’ve had no interest in it. But recently one of my friends asked me to change the following states into predicate form by using a standard form. Can someone help me?

• Marin is married to Sylvia who has a daughter Joy. • Harry is the son of Amos who is married to Joy. • The parent of one’s parent is his/her grandparent.
• If a person is married to another person who has a child then the first person is also a parent of the child.
• If a person is married to another person then the latter person is married to the former.

Change these sentences to predicate form, by using the standard form of logic and the following predicates: parent(X, Y), grandparent(X, Y), and married_to (X, Y).

I know it may look simple for some of you. But I recently went to another field about 2 years ago. Thank you.

Why is using prepared statements in PHP considered best practice?

Let me first start by stating that I am by no means a webdeveloper, so please do point out if I’m going in the wrong somewhere in my story.

I think most people agree with the idea that using prepared statements effectively stops injections if executed properly. With that said, in order to write prepared statements in PHP, you need to establish a connection with the database in your php file. In other words, if the webserver ever becomes compromised, the account used to establish a connection with the database becomes compromised as well as its basically there inside a php file, allowing your attacker to basically create dumps out of your database. If I were to design an application, I would separate the website and the logic, through some API server or something similar, in order to make sure that the database account isn’t compromised as well.

Why is it that nobody points out what in my eyes looks like an obvious security flaw in PHP? Or is the chance of this being exploited so small that people aren’t even considering the chances that it might happen?

How to write suitable three address code for switch-case statements?

I want to translate a java switch-case statement to intermediate representation of the three address code form. Three address code or TAC is a form of intermediate representation where each instruction contains at most three addresses and one operator. An address is a name such as x (stored in the symbol table), compiler generated temporary such as $ t_{1}$ or a constant such as 3.14 or ‘s’. A name could refer to a variable, label, etc. If you have an arithmetic statement

(3 * w) + y

then the corresponding TAC would be

$ t_{1}$ = 3 * w

$ t_{2}$ = $ t_{1}$ + y

Now, when it comes to switch statements, my textbook (the Dragon Book for Compilers), gives a translation of this form:

TAC for switch-case statement

for a switch-case statement of this type:

switch E

case V1: S1

case Vn-1: Sn-1

default: Sn

Assuming the first translation is used, at the code generation stage (when we convert 3AC to machine code), the code generator will interpret the instructions as a sequence of conditional and unconditional jumps with intervening labeled statement blocks. It would translate them into the machine code (say x86) version of the same. When these instructions are executed by the processor, it handles each jump sequentially to determine the correct labeled block to be executed. But, I have also read that the machine code translation of a switch-case statement includes a jump table that allows the processor to execute the entire switch statement in one go. So, then which version is used?

I wanted to post this on stackoverflow but I do not have enough reputation to post an image.

WooCommerce IF statements not working

I am trying to use the WooCommerce Conditional Tags to only include a template into specific product pages.

However my statements aren’t working, and they show on all pages. I’d like to NOT display my template in a specific category and its product pages:

// Show in Shop Page OR NOT in Products IDs 15852,15859,15863,15866 OR NOT Category Archive Gift Cards

I’ve also tried the opposite:

Can you please advise how to get it to work?

Our website:


Can I write portable SQL statements?

I am wondering if it is possible to write SQL statements that are 100% interoperable with most or all databases including:

  • MariaDB/MySQL/Percona
  • Postgres
  • Microsoft SQL
  • Oracle
  • SQLite

(Eg, can I just follow a specific SQL standard? Eg, is there something similar to POSIX compliance standards for SQL?)

If so, are there any linting tools available that I can use in a git post-receive hook to reject SQL usage that doesn’t follow such a standard or non-compliant SQL code without having to try to commit the code on all DBs?

Trouble with or statements and short circuiting

I’ve my code as follows:

class Main { public static void main(String[] args) { boolean s; boolean x = true; System.out.println(x || s); } }

I’ve learned that or statements in java short-circuit once the computer finds any value to be true. Here, I’ve declared but not initialized s, but I’ve done both with x. I put an or statement with x at the front, but the computer displays an error, citing that s hasn’t been initialized. Why’s this occurring? Shouldn’t it automatically display a true once it realizes that x is true, and satisfies the or statement? Thanks.