Improved documentation for SQLITE_DBCONFIG_DEFENSIVE. Add a NEVER() macro

on an unreachable branch.

FossilOrigin-Name: 9292d3351c40339de7ad6bc26c02e7592e6cdee2592e0c790fae63ccf21ea88c

src/sqlite.h.in

@@ -2160,27 +2160,16 @@ struct sqlite3_mem_methods {
 ** ensure that it does not happen by accident.
 **
 ** <dt>SQLITE_DBCONFIG_DEFENSIVE</dt>
-** <dd>The SQLITE_DBCONFIG_DEFENSIVE option actives or deactivates the
+** <dd>The SQLITE_DBCONFIG_DEFENSIVE option activates or deactivates the
 ** "defensive" flag for a database connection.  When the defensive
-** flag is enabled, some obscure features of SQLite are disabled in order
-** to reduce the attack surface. Applications that run untrusted SQL
-** can activate this flag to reduce the risk of zero-day exploits.
-** <p>
-** Features disabled by the defensive flag include:
+** flag is enabled, language features that allow ordinary SQL to 
+** deliberately corrupt the database file are disabled.  The disabled
+** features include but are not limited to the following:
 ** <ul>
-** <li>The [PRAGMA writable_schema=ON] statement.
-** <li>Writes to the [sqlite_dbpage] virtual table.
+** <li> The [PRAGMA writable_schema=ON] statement.
+** <li> Writes to the [sqlite_dbpage] virtual table.
+** <li> Direct writes to shadow tables.
 ** </ul>
-** New restrictions may be added in future releases.
-** <p>
-** To be clear: It should never be possible for hostile SQL to cause
-** arbitrary memory reads, memory leaks, buffer overflows, assertion
-** faults, arbitrary code execution, crashes, or other mischief, regardless
-** of the value of the defensive flag.  Any occurrance of these problems
-** is considered a serious bug and will be fixed promptly.  It is not
-** necessary to enable the defensive flag in order to make SQLite secure
-** against attack. The defensive flag merely provides an additional layer
-** of defense against unknown vulnerabilities.
 ** </dd>
 ** </dl>
 */