On Dec 11, 2007, at 2:10 PM, [EMAIL PROTECTED] wrote:
The limits in SQLite (introduced in version 3.4.0) were added
at the request of the Google Gears developers. Consider the
situation that Gears and similar applications (such as Adobe AIR)
are in. They have to accept generic SQL from untrusted sources
on the open internet then run that SQL in a secure manner. It
turns out that there were all kinds of attacks against SQLite
if you feed it untrusted SQL. The introduction of hard
limits on the size of strings and BLOBs and SQL statements is
one part of our efforts to close holes in SQLite and make it
proof against malicious SQL attacks. (We are not there yet,
BTW, but we are much closer.)
Also, per the quoted source in my original message, the comment is
out of sync with the source.
/*
** The maximum length of a single SQL statement in bytes.
** The hard limit here is the same as SQLITE_MAX_LENGTH.
*/
#ifndef SQLITE_MAX_SQL_LENGTH
# define SQLITE_MAX_SQL_LENGTH 1000000
#endif
This inconsistency was a source of confusion for me as to whether the
current hard limit for SQL was intentionally 1MB or not.
I'd be happy to submit a patch to fix the comment, but it is the
proverbial one line fix.
Jim
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------