Skip to content

sqlite: allow setting limits on inputs #61268

New issue
New issue
Open
Open
sqlite: allow setting limits on inputs#61268
Labels
feature requestIssues that request new features to be added to Node.js.sqliteIssues and PRs related to the SQLite subsystem.
@louwers

Description

@louwers
louwers
opened on Jan 4, 2026

What is the problem this feature will solve?

The SQLite documentation describes in Defence Against the Dark Arts techniques for defending against malicious SQL input in SQLite databases.

In #60217 I added support for the defensive flag, which prevents malicious input from corrupting the database.

The second item mentioned is setting limits on various inputs.

What is the feature you are proposing to solve the problem?

The sqlite3_limit() API can be used to set limits. There are various constants such as SQLITE_MAX_LENGTH that can be used with it. More info: https://sqlite.org/limits.html

I suggest that we allow configuring all limits by:

  • Allowing them to be passed on DatabaseSync construction.
  • Adding getters.
  • Adding setters.
const db = new DatabaseSync(':memory:', {
  limits: {
    length: 1000000,
    sqlLength: 100000,
    column: 100,
    exprDepth: 10,
    compoundSelect: 3,
    vbdeOp: 25000,
    functionArg: 8,
    attach: 0,
    likePatternLength: 50,
    variableNumber: 10,
    triggerDepth: 10
  }
});

// getters
t.assert(db.limits.length, 1000000);
t.assert(db.limits.sqlLength, 1000000);
t.assert(db.limits.column, 100);
t.assert(db.limits.exprDepth, 10);
t.assert(db.limits.compoundSelect, 3);
t.assert(db.limits.vbdeOp, 25000);
t.assert(db.limits.functionArg, 8);
t.assert(db.limits.attach, 0);
t.assert(db.limits.likePatternLength, 50);
t.assert(db.limits.variableNumber, 10);
t.assert(db.limits.triggerDepth, 10);

// setters
db.limits.length = 1000000000;
db.limits.sqlLength = 1000000000;
db.limits.column = 2000;
db.limits.exprDepth = 1000;
db.limits.compoundSelect = 500;
db.limits.vbdeOp = 250000000;
db.limits.functionArg = 127;
db.limits.attach = 10;
db.limits.likePatternLength = 50000;
db.limits.variableNumber = 999;
db.limits.triggerDepth = 1000;

What alternatives have you considered?

Instead of using camelCase names for the limits, we could also expose constants SQLITE_LIMIT_LENGTH, SQLITE_LIMIT_SQL_LENGTH etc.

However, I think it we should adopt a sensible JavaScript API. This seems to be consistent with the overall API design of the SQLite module.

cc @nodejs/sqlite

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature requestIssues that request new features to be added to Node.js.sqliteIssues and PRs related to the SQLite subsystem.

    Type

    No type

    Projects

    Node.js feature requests

    Status

    Awaiting Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions