Thanks Clemens for your inputs We are using parametrized queries and don't have any user interface where user can modify anything currently. Its almost a read only application. Our is a file management application
But we will come up with some functionality where user will be able to upload random files into our application. The files will reside into the application sandbox environment. Once a file is being uploaded, the metadata of that file will get inserted/updated into DB. we will also come with rename (a text box ) and other CRUD operations which will require user interaction. This will again trigger the metadata update into DB. But the queries will be always parametrized ones. Regards, Saurav On Tue, Dec 22, 2015 at 12:12 PM, Clemens Ladisch <clemens at ladisch.de> wrote: > Saurav Sarkar: > >Our application is free of any kind of SQL injection > > Famous last words. :) > > >as we don't have any input fields. > > So where does your data come from? > Does your application have any interface that an attacker > could access? > > How do you create your SQL statements? > Are you always using bound parameters? > > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414 > > This requires the attacker to control a collation name. > > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415 > > This requires the attacker to control the CHECK clause in a CREATE > TABLE statement. > > >https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416 > > This requires the attacker to control the format string of the print() > SQL function. > > > Regards, > Clemens > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users >
