diff options
| -rw-r--r-- | core/java/android/content/ContentProvider.java | 12 | ||||
| -rw-r--r-- | core/java/android/database/sqlite/SQLiteQueryBuilder.java | 9 |
2 files changed, 21 insertions, 0 deletions
diff --git a/core/java/android/content/ContentProvider.java b/core/java/android/content/ContentProvider.java index a0bbeb5f4bfc..c86ccfdaa7d4 100644 --- a/core/java/android/content/ContentProvider.java +++ b/core/java/android/content/ContentProvider.java @@ -1483,6 +1483,12 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall // proper SQL syntax for us. SQLiteQueryBuilder qBuilder = new SQLiteQueryBuilder(); + // Guard against SQL injection attacks + qBuilder.setStrict(true); + qBuilder.setProjectionMap(MAP_OF_QUERYABLE_COLUMNS); + qBuilder.setStrictColumns(true); + qBuilder.setStrictGrammar(true); + // Set the table we're querying. qBuilder.setTables(DATABASE_TABLE_NAME); @@ -1546,6 +1552,12 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall // proper SQL syntax for us. SQLiteQueryBuilder qBuilder = new SQLiteQueryBuilder(); + // Guard against SQL injection attacks + qBuilder.setStrict(true); + qBuilder.setProjectionMap(MAP_OF_QUERYABLE_COLUMNS); + qBuilder.setStrictColumns(true); + qBuilder.setStrictGrammar(true); + // Set the table we're querying. qBuilder.setTables(DATABASE_TABLE_NAME); diff --git a/core/java/android/database/sqlite/SQLiteQueryBuilder.java b/core/java/android/database/sqlite/SQLiteQueryBuilder.java index e9c59f55a418..2061c2bdd721 100644 --- a/core/java/android/database/sqlite/SQLiteQueryBuilder.java +++ b/core/java/android/database/sqlite/SQLiteQueryBuilder.java @@ -48,6 +48,15 @@ import java.util.regex.Pattern; /** * This is a convenience class that helps build SQL queries to be sent to * {@link SQLiteDatabase} objects. + * <p> + * This class is often used to compose a SQL query from client-supplied fragments. Best practice + * to protect against invalid or illegal SQL is to set the following: + * <ul> + * <li>{@link #setStrict} true. + * <li>{@link #setProjectionMap} with the list of queryable columns. + * <li>{@link #setStrictColumns} true. + * <li>{@link #setStrictGrammar} true. + * </ul> */ public class SQLiteQueryBuilder { private static final String TAG = "SQLiteQueryBuilder"; |