Eduardo Morras wrote:
> Clemens Ladisch <clem...@ladisch.de> wrote:
>> Actually, no change to SQLite itself would be needed. It's possible
>> to create an extension that provides a function that allows to
>> register another function that executes a custom SQL expression:
>>
>> SELECT register_simple_function('rpad', 2, 'SELECT printf
>> (''%-*s'', ?, ?)');
>
> So, if a webapp that uses SQLite doesn't check it's input, functions that
> renames SQLite internals can be injected
>
> SELECT register_simple_function('MAX', 1, 'DROP TABLE ?');
Such a statement would not return a single column, so it wouldn't
actually get executed.
But it might be possible to execute something like "PRAGMA evil = on",
so this function probably should be secured like load_extension().
Regards,
Clemens
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
