how to prevent sql injection attack in android?
Question
so i have problems with following code and was wondering if there is any other way of creating and deleting table where table name is taken from user the following code gives error when using " ' " single quote. please help
public void droptable(String tablename) {
SQLiteDatabase db =this.getWritableDatabase();
db.execSQL("DROP TABLE IF EXISTS " + tablename);
}
public void createtable(String tablename)
{
SQLiteDatabase db = this.getWritableDatabase();
String query = String.format("CREATE TABLE IF NOT EXISTS %s ( %s INTEGER PRIMARY KEY AUTOINCREMENT , %s TEXT )",tablename,COLUMN0,COLUMN1);
db.execSQL(query);
}
is there a better way to do this?
1 answers
solution1
3 ACCPTED 2018-09-02 14:09:16
Unless your app will export the SQLite database itself, with the user intending to use that SQLite database elsewhere, the user will never see this table except through your app.
That gives you a number of options:
Do not use the user-entered value for the table name. Instead, generate a valid table name yourself, and keep a mapping of the generated names and what the user-entered "display name" is for each table.
Transform the user-entered value into a valid table name, by removing unsupported characters.
Wrap the user-entered value in quotation marks (
"%s"), though then you will have problems if the user enters a table name with a quotation mark.Prevent the user from entering an invalid table name, by rejecting non-standard characters as part of your
EditTextValidate the user-entered value and show an error dialog if they type in something that will result in SQL errors
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.