On 10/6/17, Kent Williams <kwilli...@leepfrog.com> wrote: > > As for 'untrusted SQL' -- if you open your databases (or our clients' > databases) to unrestricted queries, you wouldn't need a malicious use of > full-text search to ruin everybody's day ;-) >
That was my thinking too, for a long time. I figured that any exploit in SQLite's language was far less severe than the SQL injection vulnerability that you create by giving users access to the language. But some apps allow this. Example: The WebSQL implementation in webkit, used in Chrome and Safari. Earlier this year, a group of hackers figured out how to root a Mac using a chain of 6 exploits, one of which was a language exploit in SQLite that was accessed using WebSQL. Since then, I have taken a more cautious approach and assumed that the bad guys do have unrestricted SQL access. -- D. Richard Hipp d...@sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
