On Fri, 29 Jun 2018, Richard Hipp wrote:
On 6/29/18, Bob Friesenhahn <bfrie...@simple.dallas.tx.us> wrote:
Without adding all the necessary safe-guards to ensure that only valid
data goes into the database, sqlite puts the using application at risk
(security and stability) with its wishy-washy ways.
Can you provide an example of a security of stability problem caused
by flexible typing?
It is only necessary for the database to return something that the
application is not designed for in order to cause problems for the
application. The ability to inject wrong data depends on the
interfaces which are exposed for introducing the wrong data (possibly
including the sqlite3 shell), and any added safeguards in the database
itself.
Assuring that the expected type is returned is just part of the
problem since often only particular values or ranges are allowable.
This is why our database includes many checks (including using
triggers) to defend against errant data (including the underlying
type) on the way in. Unfortunately, such checks make the schema
larger, consuming more RAM in all applications using the database.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
