On Wed, 11 Jan 2017, Jim Callahan wrote:
How much doing all that is worth is a different question, since the calls
made through this
proposed system() SQLite function would also likely be non-portable. In
this very example,
there is no wc on Windows.
I would suggest renaming the proposed system() function bash() since now
and in the future there may be different command line shells.
For anyone thinking that it is a good idea to embed shell
functionality in the SQL interpreter, it makes the SQL interpreter
much less secure for untrusted inputs.
There are already SQL injection exploit opportunities and now SQL
injection exploit opportunities also become shell exploit
opportunities.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
