On Fri, 07 Mar 2014 15:39:57 +0100
Clemens Ladisch <[email protected]> wrote:
> Actually, no change to SQLite itself would be needed. It's possible
> to create an extension that provides a function that allows to
> register another function that executes a custom SQL expression:
>
> SELECT register_simple_function('rpad', 2, 'SELECT printf
> (''%-*s'', ?, ?)');
>
>
> In practice, the biggest problem probably is that SQLite doesn't have
> that many built-in functions; most useful functions would require more
> than that.
So, if a webapp that uses SQLite doesn't check it's input, functions that
renames SQLite internals can be injected
SELECT register_simple_function('MAX', 1, 'DROP TABLE ?');
No?
>
>
> Regards,
> Clemens
--- ---
Eduardo Morras <[email protected]>
_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
