On Fri, 07 Mar 2014 15:39:57 +0100 Clemens Ladisch <clem...@ladisch.de> wrote:
> Actually, no change to SQLite itself would be needed. It's possible > to create an extension that provides a function that allows to > register another function that executes a custom SQL expression: > > SELECT register_simple_function('rpad', 2, 'SELECT printf > (''%-*s'', ?, ?)'); > > > In practice, the biggest problem probably is that SQLite doesn't have > that many built-in functions; most useful functions would require more > than that. So, if a webapp that uses SQLite doesn't check it's input, functions that renames SQLite internals can be injected SELECT register_simple_function('MAX', 1, 'DROP TABLE ?'); No? > > > Regards, > Clemens --- --- Eduardo Morras <emorr...@yahoo.es> _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users