On Fri, Mar 7, 2014 at 10:19 PM, Eduardo Morras <emorr...@yahoo.es> wrote: > On Fri, 07 Mar 2014 15:39:57 +0100 > Clemens Ladisch <clem...@ladisch.de> wrote: > >> Actually, no change to SQLite itself would be needed. It's possible >> to create an extension that provides a function that allows to >> register another function that executes a custom SQL expression: > So, if a webapp that uses SQLite doesn't check it's input, functions that > renames SQLite internals can be injected > > SELECT register_simple_function('MAX', 1, 'DROP TABLE ?'); > > No?
Not of the select is implicit, because then "select drop table ?" is invalid. See my previous post. --DD _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users