Comment 20 for bug 1483037

For a Shotwell Scope SQL injection Demo , i attached a screenshot.
Code can be injected with a file name in the function getPhotoForUri.

Demonstration:
a) rename some picture like this

xx " UNION SELECT 1,'2','Hello','World',5,6,7,8,9,10,11,12,'13','14','15',16,17,18,19,20,21,22,23,24,'25',26,27,28,29 -- ".png

b) start shotwell and ensure the picture gets into the shotwell database
c) close shotwell
d) Search for xx in the Unity Dash and click on the picture
e) Have look at the picture dimensions and the size. It reads "Hello x World Pixels", size : 5.0b.
     This is only a harmles demo. Other things may happen like crashes or code execution.