/ 
DBD-SQLite-0.23
River stage four • 518 direct dependents • 1146 total dependents
/ DBD::SQLite
Security Advisories (19)
CVE-2020-13434 (2020-05-24)

SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.

CVE-2020-11656 (2020-04-09)

In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVE-2020-9327 (2020-02-21)

In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.

CVE-2018-20506 (2019-04-03)

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.

CVE-2015-3416 (2015-04-24)

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.

CVE-2015-3414 (2015-04-24)

SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.

CVE-2020-13630 (2020-05-27)

ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.

CVE-2020-15358 (2020-06-27)

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

CVE-2020-13632 (2020-05-27)

ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.

CVE-2020-13631 (2020-05-27)

SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.

CVE-2020-13435 (2020-05-24)

SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.

CVE-2020-11655 (2020-04-09)

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.

CVE-2019-19646 (2019-12-09)

pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.

CVE-2019-19645 (2019-12-09)

alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.

CVE-2018-20346 (2018-12-21)

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.

CVE-2018-8740 (2018-03-17)

In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.

CVE-2017-10989 (2017-07-07)

The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

CVE-2015-3415 (2015-04-24)

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.

CVE-2016-6153 (2016-09-26)

os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.

NAME

DBD::SQLite - Self Contained RDBMS in a DBI Driver

SYNOPSIS

use DBI;
my $dbh = DBI->connect("dbi:SQLite:dbname=dbfile","","");

DESCRIPTION

SQLite is a public domain RDBMS database engine that you can find at http://www.hwaci.com/sw/sqlite/.

Rather than ask you to install SQLite first, because SQLite is public domain, DBD::SQLite includes the entire thing in the distribution. So in order to get a fast transaction capable RDBMS working for your perl project you simply have to install this module, and nothing else.

SQLite supports the following features:

Implements a large subset of SQL92

See http://www.hwaci.com/sw/sqlite/lang.html for details.

A complete DB in a single disk file

Everything for your database is stored in a single disk file, making it easier to move things around than with DBD::CSV.

Atomic commit and rollback

Yes, DBD::SQLite is small and light, but it supports full transactions!

There's lots more to it, so please refer to the docs on the SQLite web page, listed above, for SQL details. Also refer to DBI for details on how to use DBI itself.

API

The API works exactly as every DBI module does. Please see DBI for more details about core features.

$dbh->func('last_insert_rowid')

This method returns the last inserted rowid. If you specify an INTEGER PRIMARY KEY as the first column in your table, that is the column that is returned. Otherwise, it is the hidden ROWID column. See the sqlite docs for details.

NOTES

To access the database from the command line, try using dbish which comes with the DBI module. Just type:

dbish dbi:SQLite:foo.db

On the command line to access the file foo.db.

Alternatively you can install SQLite from the link above without conflicting with DBD::SQLite and use the supplied sqlite command line tool.

PERFORMANCE

SQLite is fast, very fast. I recently processed my 72MB log file with it, inserting the data (400,000+ rows) by using transactions and only committing every 1000 rows (otherwise the insertion is quite slow), and then performing queries on the data.

Queries like count(*) and avg(bytes) took fractions of a second to return, but what surprised me most of all was:

SELECT url, count(*) as count FROM access_log
  GROUP BY url
  ORDER BY count desc
  LIMIT 20

To discover the top 20 hit URLs on the site (http://axkit.org), and it returned within 2 seconds. I'm seriously considering switching my log analysis code to use this little speed demon!

Oh yeah, and that was with no indexes on the table, on a 400MHz PIII.

For best performance be sure to tune your hdparm settings if you are using linux. Also you might want to set:

PRAGMA default_synchronous = OFF

Which will prevent sqlite from doing fsync's when writing, which will slow down non-transactional writes significantly, at the expense of some piece of mind. Also try playing with the cache_size pragma.

BUGS

Likely to be many, please use http://rt.cpan.org/ for reporting bugs.

AUTHOR

Matt Sergeant, matt@sergeant.org

SEE ALSO

DBI.