Kelly Jones wrote: > On a website, I want to take a user's query "as is", save it to a > userquery.txt, and then do: > > sqlite3 /path/to/mydb < userquery.txt > > where /path/to/mydb is a *read-only* file. > > Is there *any* risk of an injection attack here? > > Specifically, does sqlite3 have any shell escapes or any way to change > the Unix permissions of the file it's accessing?
The user may issue an ATTACH statement to open a connection to a different file, and then modify that one. Igor Tandetnik _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
