Right, I'm referring to the Original poster's video https://media.ccc.de/v/36c3-10701-select_code_execution_from_using_sqlite at approximately 4 minutes 32 seconds the attack vector is literally just knowing that the back end of a service will run a specific SELECT query which ends up granting the video creator the ability to write files to the system (or similar). Specifically, the video creator exploits: "SELECT BodyRich FROM Notes" which is the same surface as my friend who runs a basic known select query on uploaded data. It is not obvious to me if this more general attack vector is by default prevented in SQLite 3.32.1 and whether or not it is preventable by upgrading to Python3 even though I can't find any evidence that sqlite3_config() / sqlite3_db_config() is exposed in either version of Python. Unfortunately neither of us are SQLite experts, hence me coming here asking for advice to prevent damages.