On 4 Apr 2014, at 7:55am, Darren Duncan <dar...@darrenduncan.net> wrote:
> Putting that aside, for any SQL DBMS that supports the PREPARE and EXECUTE > keywords, you can have a SQL string value that contains a SQL statement and > execute it, and you can build that string in other SQL from your table like > with any string manipulation. This is a standard way to do it, if not the > most elegant, it is simple and powerful. And represents a huge vulnerability if hackers can trick the application into executing their own string. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users