Due to the extreme amount of testing involved with SQLite, I wonder if it could be argued that it is safer to allow it to directly validate and attempt untrusted commands than it is to run any verification in your application code.
I feel like you could wind up creating more attack surfaces than you solve by worrying about these things in the wrong way. The moment you reach for crap like regex you have probably lost the game.
> Applications that accept untrusted SQL inputs
Due to the extreme amount of testing involved with SQLite, I wonder if it could be argued that it is safer to allow it to directly validate and attempt untrusted commands than it is to run any verification in your application code.
I feel like you could wind up creating more attack surfaces than you solve by worrying about these things in the wrong way. The moment you reach for crap like regex you have probably lost the game.
[flagged]