On 20 Dec 2018, at 5:27pm, Jens Alfke <j...@mooseyard.com> wrote: > On Dec 19, 2018, at 10:32 AM, Simon Slavin <slav...@bigfraud.org> wrote: > >> I'm not sure how you would do that purely inside a trigger. You can't just >> specially craft a BLOB with bad content. I think it would need >> participation from the software making the call to the API. > > Can’t you put [nearly] any SQL statement in the body of a trigger? Including > one with an x’…’ blob literal?
Yes, but you can't program the program which accesses the SQLite API. Your app, or my app, retrieving that BLOB, wouldn't necessarily try to execute it, or store the BLOB in exactly the right place in memory for it to do something malicious. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users