[android-developers] Re: SQL Injection
On Nov 23, 12:36 am, Kumar Bibek wrote: > If you don't have a content provider, you don't have to worry about this at > all. Since, you DB cannot be accessed by other applications. Not so fast. If you have a text field for user entry, or pull a string out of an email or off a website or from any uncontrolled source which then goes into the DB, not sanitizing it creates an attack route. See for example the infamous Bobby Tables... http://xkcd.com/327/ -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: SQL Injection
Thanks guys, I just want to make sure I understand correctly: using SqliteDatabase.insert(...) with input from a text field is safe without sanitizing first? On Nov 22, 9:55 pm, Kumar Bibek wrote: > Well, if you user Raw query, then yeah, I guess it's possible. But if you > use the query method of the SQLiteDatabase, then I guess, you are safe. > > Kumar Bibekhttp://techdroid.kbeanie.comhttp://www.kbeanie.com > > On Tue, Nov 23, 2010 at 11:16 AM, Chris Stratton wrote: > > On Nov 23, 12:36 am, Kumar Bibek wrote: > > > > If you don't have a content provider, you don't have to worry about this > > at > > > all. Since, you DB cannot be accessed by other applications. > > > Not so fast. If you have a text field for user entry, or pull a > > string out of an email or off a website or from any uncontrolled > > source which then goes into the DB, not sanitizing it creates an > > attack route. > > > See for example the infamous Bobby Tables...http://xkcd.com/327/ > > > -- > > You received this message because you are subscribed to the Google > > Groups "Android Developers" group. > > To post to this group, send email to android-developers@googlegroups.com > > To unsubscribe from this group, send email to > > android-developers+unsubscr...@googlegroups.com > > For more options, visit this group at > >http://groups.google.com/group/android-developers?hl=en > > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: SQL Injection
Well, if you user Raw query, then yeah, I guess it's possible. But if you use the query method of the SQLiteDatabase, then I guess, you are safe. Kumar Bibek http://techdroid.kbeanie.com http://www.kbeanie.com On Tue, Nov 23, 2010 at 11:16 AM, Chris Stratton wrote: > On Nov 23, 12:36 am, Kumar Bibek wrote: > > > If you don't have a content provider, you don't have to worry about this > at > > all. Since, you DB cannot be accessed by other applications. > > Not so fast. If you have a text field for user entry, or pull a > string out of an email or off a website or from any uncontrolled > source which then goes into the DB, not sanitizing it creates an > attack route. > > See for example the infamous Bobby Tables... http://xkcd.com/327/ > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to android-developers@googlegroups.com > To unsubscribe from this group, send email to > android-developers+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
