Android Studio中SQLite是否可能受手势攻击?

huangapple go评论74阅读模式
英文:

Android Studio Sqlite Sqlinjection possible with gestures?

问题

可以通过手势进行SQL注入吗,如果可以,如何防止它?

英文:

I implemented an app using an SQLite database and the data are stored in background without any user interactions. The only point where the use is needed is when data are deleted with an gesture and that is my question.
Is it possible to make an SQL injection through a gesture and if so, how can I prevent it?

答案1

得分: 1

如果用户未输入文本,则几乎不太可能发生SQL注入。

但是,如果您完全使用方便的方法或者使用具有第二个参数的rawQuery execSQL,通过第二个参数传递任何值,那么这些值将会被绑定,从而防止SQL注入。

  • 这假设您正在使用标准的SQLiteDatabase,如SDK所述。

插入行的示例

此示例使用execSQL(两种形式)和insert方便的方法来演示使用绑定参数的原则,以及第一个示例中不使用绑定参数。

theSQLitedatabase.execSQL("INSERT INTO mytable VALUES('" + userdata + "')"); // <<<<<<<<< potential for injection

theSQLitedatabase.execSQL("INSERT INTO mytable VALUES(?)", new String[]{userdata}); // <<<<<<<<< protects as value is bound by SQLite itself

/* 使用构建SQL的方便方法(与第二个示例相同)并进行保护 */
ContentValues cv = new ContentValues();
cv.put(the_column_name_as_a_string, userdata);
theSQLitedatabase.insert("mytable", null, cv);

英文:

If the user is not inputting text then SQL Injection is highly unlikely.

However, if you use the convenience methods fully and or rawQuery execSQL with the 2nd parameter, passing any values via the 2nd parameter then the values will be bound which protects against SQL injection.

  • This assumes that you are using the standard SQLiteDatabase as per the SDK.

Examples of inserting rows

This example uses execSQL (both forms) and the insert convenience method to demonstrate the principles of using bound arguments and in the first example of not using a bound argument.

theSQLitedatabase.execSQL(&quot;INSERT INTO mytable VALUES(&#39;&quot; + userdata + &quot;&#39;)&quot;); //&lt;&lt;&lt;&lt;&lt;&lt; potential for injection

theSQLitedatabase.execSQL(&quot;INSERT INTO mytable VALUES(?)&quot;,new String[]{userdata}); //&lt;&lt;&lt;&lt;&lt; protects as value is bound by SQLite itself

/* Uses the convenience method that builds the SQL (as per 2nd example) and protects */
ContentValues cv = new Contentvalues();
cv.put(the_column_name_as_a_string,userdata);
theSQLitedatabase.insert(&quot;mytable&quot;,null,cv);

huangapple
  • 本文由 发表于 2020年1月6日 17:51:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/59609886.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定