diff options
| author | 2023-08-02 17:02:07 +0000 | |
|---|---|---|
| committer | 2023-08-02 17:02:07 +0000 | |
| commit | df17ec4b6214a84c2486d8b199682e3fe0a4917c (patch) | |
| tree | 5a2cf1af1c4192b8f006f15eafdb838d222a48c5 | |
| parent | adf8892e08e8bc9361b0d5ab64841aa038db758d (diff) | |
| parent | 390d51e3e8e2f5d0fa48b7d61058abc15e278fa6 (diff) | |
Merge "Update ContentProvider documentation" into main
| -rw-r--r-- | core/java/android/content/ContentProvider.java | 12 | ||||
| -rw-r--r-- | core/java/android/database/sqlite/SQLiteQueryBuilder.java | 9 |
2 files changed, 21 insertions, 0 deletions
diff --git a/core/java/android/content/ContentProvider.java b/core/java/android/content/ContentProvider.java index a0bbeb5f4bfc..c86ccfdaa7d4 100644 --- a/core/java/android/content/ContentProvider.java +++ b/core/java/android/content/ContentProvider.java @@ -1483,6 +1483,12 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall // proper SQL syntax for us. SQLiteQueryBuilder qBuilder = new SQLiteQueryBuilder(); + // Guard against SQL injection attacks + qBuilder.setStrict(true); + qBuilder.setProjectionMap(MAP_OF_QUERYABLE_COLUMNS); + qBuilder.setStrictColumns(true); + qBuilder.setStrictGrammar(true); + // Set the table we're querying. qBuilder.setTables(DATABASE_TABLE_NAME); @@ -1546,6 +1552,12 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall // proper SQL syntax for us. SQLiteQueryBuilder qBuilder = new SQLiteQueryBuilder(); + // Guard against SQL injection attacks + qBuilder.setStrict(true); + qBuilder.setProjectionMap(MAP_OF_QUERYABLE_COLUMNS); + qBuilder.setStrictColumns(true); + qBuilder.setStrictGrammar(true); + // Set the table we're querying. qBuilder.setTables(DATABASE_TABLE_NAME); diff --git a/core/java/android/database/sqlite/SQLiteQueryBuilder.java b/core/java/android/database/sqlite/SQLiteQueryBuilder.java index e9c59f55a418..2061c2bdd721 100644 --- a/core/java/android/database/sqlite/SQLiteQueryBuilder.java +++ b/core/java/android/database/sqlite/SQLiteQueryBuilder.java @@ -48,6 +48,15 @@ import java.util.regex.Pattern; /** * This is a convenience class that helps build SQL queries to be sent to * {@link SQLiteDatabase} objects. + * <p> + * This class is often used to compose a SQL query from client-supplied fragments. Best practice + * to protect against invalid or illegal SQL is to set the following: + * <ul> + * <li>{@link #setStrict} true. + * <li>{@link #setProjectionMap} with the list of queryable columns. + * <li>{@link #setStrictColumns} true. + * <li>{@link #setStrictGrammar} true. + * </ul> */ public class SQLiteQueryBuilder { private static final String TAG = "SQLiteQueryBuilder"; |