android中的输入参数清理,以避免漏洞
[英]Input parameter sanitization in android for avoiding vulnerabilities
问题描述
Recently while source code audit of my android application auditors have raised few points like path manipulation, privacy violation attacks? 
最近,虽然我的android应用程序审核程序的源代码审核提出了几点建议,例如路径操纵,隐私侵犯攻击?
I have been searching for proper solutions since last few days but couldn't find any fruitful solution. 从最近几天开始,我一直在寻找适当的解决方案,但找不到任何卓有成效的解决方案。 Please provide me solutions for below queries. 请为我以下查询提供解决方案。
1. File f = new File("filepath");
how to prevent attacker from manipulating filepath ? 如何防止攻击者操纵文件路径?
2. private void selectDataFromDB(String param1,String param2){
sqlitedatabase.query("Select * from tbl1 where col1 LIKE ? and colu2 LIKE ?",new String[]{param1,param2});
}
how to validate parameters such that attacker cannot change this parameter ? 如何验证参数以使攻击者无法更改此参数? Input sanitization ? 投入消毒? How to apply it? 如何申请?
Edit1: 编辑1:
The method selectDataFromDB() in MyActivity.java mishandles confidential information, which can compromise user privacy and is often illegal. 该方法selectDataFromDB()在MyActivity.java处理不当的机密信息,这可能会危及用户隐私,往往是非法的。
1 个解决方案
解决方案1
0 2018-07-17 22:40:22
They proposed me to apply input sanitization.
You don't need to sanitize inputs when you use query parameters. 使用查询参数时,无需清理输入。 That's one of the best reasons to use parameterized SQL statements. 这是使用参数化SQL语句的最佳理由之一。 It's not possible for the value of a query parameter to change the SQL syntax. 查询参数的值无法更改SQL语法。
It's possible that your auditors don't understand how SQL injection works . 您的审核员有可能不了解SQL注入的工作原理 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.