diff options
| author | 2023-08-01 15:08:25 -0700 | |
|---|---|---|
| committer | 2023-08-01 15:31:18 -0700 | |
| commit | 390d51e3e8e2f5d0fa48b7d61058abc15e278fa6 (patch) | |
| tree | a173e0b3ce9abfa2d9836fd01d37fbcd7c7a9123 | |
| parent | 5c61842f126428f4fa49eef000c72de851e34c06 (diff) | |
Update ContentProvider documentation
Bug: 286447115
Update the ContentProvider examples with best practice for guarding
against SQL injection attacks. Add the same information to
SQLiteQueryBuilder itself.
This only changes documentation.
Test: make ds-docs
Change-Id: Ia05c5ee9e61da4140ea933a3d231c7438597defa
| -rw-r--r-- | core/java/android/content/ContentProvider.java | 12 | ||||
| -rw-r--r-- | core/java/android/database/sqlite/SQLiteQueryBuilder.java | 9 |
2 files changed, 21 insertions, 0 deletions
diff --git a/core/java/android/content/ContentProvider.java b/core/java/android/content/ContentProvider.java index a0bbeb5f4bfc..c86ccfdaa7d4 100644 --- a/core/java/android/content/ContentProvider.java +++ b/core/java/android/content/ContentProvider.java @@ -1483,6 +1483,12 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall // proper SQL syntax for us. SQLiteQueryBuilder qBuilder = new SQLiteQueryBuilder(); + // Guard against SQL injection attacks + qBuilder.setStrict(true); + qBuilder.setProjectionMap(MAP_OF_QUERYABLE_COLUMNS); + qBuilder.setStrictColumns(true); + qBuilder.setStrictGrammar(true); + // Set the table we're querying. qBuilder.setTables(DATABASE_TABLE_NAME); @@ -1546,6 +1552,12 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall // proper SQL syntax for us. SQLiteQueryBuilder qBuilder = new SQLiteQueryBuilder(); + // Guard against SQL injection attacks + qBuilder.setStrict(true); + qBuilder.setProjectionMap(MAP_OF_QUERYABLE_COLUMNS); + qBuilder.setStrictColumns(true); + qBuilder.setStrictGrammar(true); + // Set the table we're querying. qBuilder.setTables(DATABASE_TABLE_NAME); diff --git a/core/java/android/database/sqlite/SQLiteQueryBuilder.java b/core/java/android/database/sqlite/SQLiteQueryBuilder.java index e9c59f55a418..2061c2bdd721 100644 --- a/core/java/android/database/sqlite/SQLiteQueryBuilder.java +++ b/core/java/android/database/sqlite/SQLiteQueryBuilder.java @@ -48,6 +48,15 @@ import java.util.regex.Pattern; /** * This is a convenience class that helps build SQL queries to be sent to * {@link SQLiteDatabase} objects. + * <p> + * This class is often used to compose a SQL query from client-supplied fragments. Best practice + * to protect against invalid or illegal SQL is to set the following: + * <ul> + * <li>{@link #setStrict} true. + * <li>{@link #setProjectionMap} with the list of queryable columns. + * <li>{@link #setStrictColumns} true. + * <li>{@link #setStrictGrammar} true. + * </ul> */ public class SQLiteQueryBuilder { private static final String TAG = "SQLiteQueryBuilder"; |