英文:
Android Studio Sqlite Sqlinjection possible with gestures?
问题
可以通过手势进行SQL注入吗,如果可以,如何防止它?
英文:
I implemented an app using an SQLite database and the data are stored in background without any user interactions. The only point where the use is needed is when data are deleted with an gesture and that is my question.
Is it possible to make an SQL injection through a gesture and if so, how can I prevent it?
答案1
得分: 1
如果用户未输入文本,则几乎不太可能发生SQL注入。
但是,如果您完全使用方便的方法或者使用具有第二个参数的rawQuery execSQL,通过第二个参数传递任何值,那么这些值将会被绑定,从而防止SQL注入。
- 这假设您正在使用标准的SQLiteDatabase,如SDK所述。
插入行的示例
此示例使用execSQL(两种形式)和insert方便的方法来演示使用绑定参数的原则,以及第一个示例中不使用绑定参数。
theSQLitedatabase.execSQL("INSERT INTO mytable VALUES('" + userdata + "')"); // <<<<<<<<< potential for injection
theSQLitedatabase.execSQL("INSERT INTO mytable VALUES(?)", new String[]{userdata}); // <<<<<<<<< protects as value is bound by SQLite itself
/* 使用构建SQL的方便方法(与第二个示例相同)并进行保护 */
ContentValues cv = new ContentValues();
cv.put(the_column_name_as_a_string, userdata);
theSQLitedatabase.insert("mytable", null, cv);
英文:
If the user is not inputting text then SQL Injection is highly unlikely.
However, if you use the convenience methods fully and or rawQuery execSQL with the 2nd parameter, passing any values via the 2nd parameter then the values will be bound which protects against SQL injection.
- This assumes that you are using the standard SQLiteDatabase as per the SDK.
Examples of inserting rows
This example uses execSQL (both forms) and the insert convenience method to demonstrate the principles of using bound arguments and in the first example of not using a bound argument.
theSQLitedatabase.execSQL("INSERT INTO mytable VALUES('" + userdata + "')"); //<<<<<< potential for injection
theSQLitedatabase.execSQL("INSERT INTO mytable VALUES(?)",new String[]{userdata}); //<<<<< protects as value is bound by SQLite itself
/* Uses the convenience method that builds the SQL (as per 2nd example) and protects */
ContentValues cv = new Contentvalues();
cv.put(the_column_name_as_a_string,userdata);
theSQLitedatabase.insert("mytable",null,cv);
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论