If you have: 1. An arbitrary attacker-supplied schema 2. Fixed, well-known, application-defined queries 3. No custom SQL functions or virtual tables Then the worst that can happen is an infinite loop and/or using a large amount of RAM. If you want to defend against even that possibility, then you can scan the database schema for instances VIEWs that have the same names as what the application expects to be tables. Suppose the application is running queries that involve table "tab_abc", "tab_def", and "tab_ghi". Then to look for possibly malicious schemas: ~~~~~ SELECT 1 FROM sqlite_master WHERE type='view' AND lower(name) IN ('tab_abc','tab_def','tab_ghi'); ~~~~~