Eduardo Morras wrote: > Clemens Ladisch <clem...@ladisch.de> wrote: >> Actually, no change to SQLite itself would be needed. It's possible >> to create an extension that provides a function that allows to >> register another function that executes a custom SQL expression: >> >> SELECT register_simple_function('rpad', 2, 'SELECT printf >> (''%-*s'', ?, ?)'); > > So, if a webapp that uses SQLite doesn't check it's input, functions that > renames SQLite internals can be injected > > SELECT register_simple_function('MAX', 1, 'DROP TABLE ?');
Such a statement would not return a single column, so it wouldn't actually get executed. But it might be possible to execute something like "PRAGMA evil = on", so this function probably should be secured like load_extension(). Regards, Clemens _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users