On 20 Dec 2018, at 5:27pm, Jens Alfke <j...@mooseyard.com> wrote:

> On Dec 19, 2018, at 10:32 AM, Simon Slavin <slav...@bigfraud.org> wrote:
> 
>> I'm not sure how you would do that purely inside a trigger.  You can't just 
>> specially craft a BLOB with bad content.  I think it would need 
>> participation from the software making the call to the API.
> 
> Can’t you put [nearly] any SQL statement in the body of a trigger? Including 
> one with an x’…’ blob literal?

Yes, but you can't program the program which accesses the SQLite API. Your app, 
or my app, retrieving that BLOB, wouldn't necessarily try to execute it, or 
store the BLOB in exactly the right place in memory for it to do something 
malicious.

Simon.
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to