If I understand the ContentProvider API correctly, much of the API comes from passing SQL snippets for projects, selection, sort, etc. This strikes me as particularly dangerous, as these snippets can easily come from malicious, third party apps. http://xkcd.com/327/ comes to mind, but this seems worse, as we're dealing with actual SQL, rather than just string parameters that can be encoded.
I'm sure Google has thought about these problems, and I'm wondering if anything exists in the APIs or automatically behind the scenes to sanitize the strings coming into a ContentProvider. I see some discussion about this issue here: http://code.google.com/p/android/issues/detail?id=159 But no follow-up. (It seems strange to me that this security related bug, arising from a fundamental design flaw of a core API is acknowledged as a defect but only marked as "Medium" priority.) Anm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
