On Sat, Mar 8, 2014 at 2:16 AM, Clemens Ladisch <clem...@ladisch.de> wrote: > Eduardo Morras wrote: >> So, if a webapp that uses SQLite doesn't check it's input, functions that >> renames SQLite internals can be injected >> >> SELECT register_simple_function('MAX', 1, 'DROP TABLE ?'); > > Such a statement would not return a single column, so it wouldn't > actually get executed. > > But it might be possible to execute something like "PRAGMA evil = on", > so this function probably should be secured like load_extension(). >
Absolute evil ) I already thought that introducing such function violates a common sense assumption that Select Api is side-effect free (in context of database changes) since "Register" slightly violates this by messing with namespace context. Allowing non-Select queries might pose damage risk because it would complain after the damage is done (no SQLITE_ROW result for a Update or Insert query, but database had already changed to the moment). That's also why I still think that constraining it to Select Api with assuming expression and automatic wrapping in Select is a must. Max _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users