android: how do I replace SQLite execSQL() to avoid injection attack?
1
I have a method in my MainActivity resetSortIndexes that runs a save() in the model class that runs an SQLite database "execSQL()" method. Now I've read that I should not be using execSQL() to avoid SQL injection attacks and that I should not be using rawQuery() for any INSERT operation. So should I use ContentValues() and insert()?
MainActivity.java
...
public static void resetSortIndexes() {
int index = allList.size();
for (ListItem s : allList) {
s.setSortorder(index);
s.save(sqLiteDB);
index--;
}
}
ListItem.java
...
public void save(SQLiteDB helper){
String sql = "INSERT OR REPLACE INTO " + TABLE_NAME + "(_id,type,typecolor,todo,note1,note2," +
"duedatentime,timestamp,notiftime,notiftime2,randint,sortorder,listone,listtwo," +
"listthree,listfour,listfive,listsix,listseven,listeight,listnine,listten,listeleven," +
"listtwelve,listthirteen,listfourteen,listfifteen,listsixteen,listseventeen," +
"listeighteen,listnineteen,listtwenty) VALUES" +
"(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
// The object parameters from the ListItem class.
Object params = new Object{_id,_type,_typecolor,_todo,_note1,_note2,_duedatentime,
_timestamp,_notiftime,_notiftime2,_randint,_sortorder,_listone,_listtwo,
_listthree,_listfour,_listfive,_listsix,_listseven,_listeight,_listnine,
_listten,_listeleven,_listtwelve,_listthirteen,_listfourteen,_listfifteen,
_listsixteen,_listseventeen,_listeighteen,_listnineteen,_listtwenty};
// A method in the SQLiteDB class.
helper.executeQuery(sql,params);
}
SQLiteDB.java
...
public void executeQuery(String sql, Object params) {
SQLiteDatabase db = getReadableDatabase();
db.beginTransaction();
try {
**db.execSQL(sql, params);**
db.setTransactionSuccessful();
} finally {
db.endTransaction();
}
if(db.isOpen()) {
db.close();
}
}
android android-sqlite asked Nov 19 '18 at 4:18
AJWAJW
1,02931841
add a comment |
1
I have a method in my MainActivity resetSortIndexes that runs a save() in the model class that runs an SQLite database "execSQL()" method. Now I've read that I should not be using execSQL() to avoid SQL injection attacks and that I should not be using rawQuery() for any INSERT operation. So should I use ContentValues() and insert()?
MainActivity.java
...
public static void resetSortIndexes() {
int index = allList.size();
for (ListItem s : allList) {
s.setSortorder(index);
s.save(sqLiteDB);
index--;
}
}
ListItem.java
...
public void save(SQLiteDB helper){
String sql = "INSERT OR REPLACE INTO " + TABLE_NAME + "(_id,type,typecolor,todo,note1,note2," +
"duedatentime,timestamp,notiftime,notiftime2,randint,sortorder,listone,listtwo," +
"listthree,listfour,listfive,listsix,listseven,listeight,listnine,listten,listeleven," +
"listtwelve,listthirteen,listfourteen,listfifteen,listsixteen,listseventeen," +
"listeighteen,listnineteen,listtwenty) VALUES" +
"(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
// The object parameters from the ListItem class.
Object params = new Object{_id,_type,_typecolor,_todo,_note1,_note2,_duedatentime,
_timestamp,_notiftime,_notiftime2,_randint,_sortorder,_listone,_listtwo,
_listthree,_listfour,_listfive,_listsix,_listseven,_listeight,_listnine,
_listten,_listeleven,_listtwelve,_listthirteen,_listfourteen,_listfifteen,
_listsixteen,_listseventeen,_listeighteen,_listnineteen,_listtwenty};
// A method in the SQLiteDB class.
helper.executeQuery(sql,params);
}
SQLiteDB.java
...
public void executeQuery(String sql, Object params) {
SQLiteDatabase db = getReadableDatabase();
db.beginTransaction();
try {
**db.execSQL(sql, params);**
db.setTransactionSuccessful();
} finally {
db.endTransaction();
}
if(db.isOpen()) {
db.close();
}
}
asked Nov 19 '18 at 4:18
AJWAJW
1,02931841
add a comment |
1
1
1
I have a method in my MainActivity resetSortIndexes that runs a save() in the model class that runs an SQLite database "execSQL()" method. Now I've read that I should not be using execSQL() to avoid SQL injection attacks and that I should not be using rawQuery() for any INSERT operation. So should I use ContentValues() and insert()?
MainActivity.java
...
public static void resetSortIndexes() {
int index = allList.size();
for (ListItem s : allList) {
s.setSortorder(index);
s.save(sqLiteDB);
index--;
}
}
ListItem.java
...
public void save(SQLiteDB helper){
String sql = "INSERT OR REPLACE INTO " + TABLE_NAME + "(_id,type,typecolor,todo,note1,note2," +
"duedatentime,timestamp,notiftime,notiftime2,randint,sortorder,listone,listtwo," +
"listthree,listfour,listfive,listsix,listseven,listeight,listnine,listten,listeleven," +
"listtwelve,listthirteen,listfourteen,listfifteen,listsixteen,listseventeen," +
"listeighteen,listnineteen,listtwenty) VALUES" +
"(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
// The object parameters from the ListItem class.
Object params = new Object{_id,_type,_typecolor,_todo,_note1,_note2,_duedatentime,
_timestamp,_notiftime,_notiftime2,_randint,_sortorder,_listone,_listtwo,
_listthree,_listfour,_listfive,_listsix,_listseven,_listeight,_listnine,
_listten,_listeleven,_listtwelve,_listthirteen,_listfourteen,_listfifteen,
_listsixteen,_listseventeen,_listeighteen,_listnineteen,_listtwenty};
// A method in the SQLiteDB class.
helper.executeQuery(sql,params);
}
SQLiteDB.java
...
public void executeQuery(String sql, Object params) {
SQLiteDatabase db = getReadableDatabase();
db.beginTransaction();
try {
**db.execSQL(sql, params);**
db.setTransactionSuccessful();
} finally {
db.endTransaction();
}
if(db.isOpen()) {
db.close();
}
}
asked Nov 19 '18 at 4:18
AJWAJW
1,02931841
I have a method in my MainActivity resetSortIndexes that runs a save() in the model class that runs an SQLite database "execSQL()" method. Now I've read that I should not be using execSQL() to avoid SQL injection attacks and that I should not be using rawQuery() for any INSERT operation. So should I use ContentValues() and insert()?
MainActivity.java
...
public static void resetSortIndexes() {
int index = allList.size();
for (ListItem s : allList) {
s.setSortorder(index);
s.save(sqLiteDB);
index--;
}
}
ListItem.java
...
public void save(SQLiteDB helper){
String sql = "INSERT OR REPLACE INTO " + TABLE_NAME + "(_id,type,typecolor,todo,note1,note2," +
"duedatentime,timestamp,notiftime,notiftime2,randint,sortorder,listone,listtwo," +
"listthree,listfour,listfive,listsix,listseven,listeight,listnine,listten,listeleven," +
"listtwelve,listthirteen,listfourteen,listfifteen,listsixteen,listseventeen," +
"listeighteen,listnineteen,listtwenty) VALUES" +
"(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
// The object parameters from the ListItem class.
Object params = new Object{_id,_type,_typecolor,_todo,_note1,_note2,_duedatentime,
_timestamp,_notiftime,_notiftime2,_randint,_sortorder,_listone,_listtwo,
_listthree,_listfour,_listfive,_listsix,_listseven,_listeight,_listnine,
_listten,_listeleven,_listtwelve,_listthirteen,_listfourteen,_listfifteen,
_listsixteen,_listseventeen,_listeighteen,_listnineteen,_listtwenty};
// A method in the SQLiteDB class.
helper.executeQuery(sql,params);
}
SQLiteDB.java
...
public void executeQuery(String sql, Object params) {
SQLiteDatabase db = getReadableDatabase();
db.beginTransaction();
try {
**db.execSQL(sql, params);**
db.setTransactionSuccessful();
} finally {
db.endTransaction();
}
if(db.isOpen()) {
db.close();
}
}
asked Nov 19 '18 at 4:18
AJWAJW
1,02931841
asked Nov 19 '18 at 4:18
AJWAJW
1,02931841
asked Nov 19 '18 at 4:18
AJWAJW
1,02931841
asked Nov 19 '18 at 4:18
AJWAJW
1,02931841
asked Nov 19 '18 at 4:18
AJWAJW
1,02931841
1,02931841
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
1
You can use the method insertWithOnConflict(TABLE_NAME,null,contentvalues,SQLiteDatabase.CONFLICT_REPLACE);
Where contenvalues is a ContenValues populated using it's put(column_name,value) method for each value to be inserted.
The code would be along the lines of :-
ContentValues cv = new Contentvalues();
cv.put("_id",the_id);
cv.put("type",the_type);
..... etc
long result = helper.insertWithOnConflict(TABLE_NAME,null,cv,SQliteDatabase.CONFLICT_REPLACE);
- result will be the rowid of the inserted row or -1.
insertWithOnConflict
CONFLICT_REPLACE
P.S. using execSQL as you have, would offer protection from SQL injection as the SQL itself is not subject to user input and the values are bound/passed as arguments.
answered Nov 19 '18 at 4:51
MikeTMikeT
15.8k112642
Ok, will give it a try. What is the advantage to using insertWithOnConflict rather than insert()?
– AJW
Nov 19 '18 at 4:56
Would you still recommend replacing the execSQL() with the ContentValues code?
– AJW
Nov 19 '18 at 4:58
It will do INSERT OR REPLACE (or handle CONFLICT's (not Foreign Key conflicts)) instead of only INSERT OR IGNORE as insert does.
– MikeT
Nov 19 '18 at 4:58
uhhm, I wouldn't necessarily recommend. It's not as if a bolt of lightning will come down from above and strike you down. Personally I'd use the convenience methods (not execSQL/rawQuery) mainly because they, once you get the gist of them, are generally simpler to code. However, sometimes you have to, as they do have some limitations.
– MikeT
Nov 19 '18 at 5:00
Ha, I want to avoid the lightning bolts too. Answer upvoted and accepted. Cheers.
– AJW
Nov 19 '18 at 5:02
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53368244%2fandroid-how-do-i-replace-sqlite-execsql-to-avoid-injection-attack%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
You can use the method insertWithOnConflict(TABLE_NAME,null,contentvalues,SQLiteDatabase.CONFLICT_REPLACE);
Where contenvalues is a ContenValues populated using it's put(column_name,value) method for each value to be inserted.
The code would be along the lines of :-
ContentValues cv = new Contentvalues();
cv.put("_id",the_id);
cv.put("type",the_type);
..... etc
long result = helper.insertWithOnConflict(TABLE_NAME,null,cv,SQliteDatabase.CONFLICT_REPLACE);
- result will be the rowid of the inserted row or -1.
insertWithOnConflict
CONFLICT_REPLACE
P.S. using execSQL as you have, would offer protection from SQL injection as the SQL itself is not subject to user input and the values are bound/passed as arguments.
answered Nov 19 '18 at 4:51
MikeTMikeT
15.8k112642
Ok, will give it a try. What is the advantage to using insertWithOnConflict rather than insert()?
– AJW
Nov 19 '18 at 4:56
Would you still recommend replacing the execSQL() with the ContentValues code?
– AJW
Nov 19 '18 at 4:58
It will do INSERT OR REPLACE (or handle CONFLICT's (not Foreign Key conflicts)) instead of only INSERT OR IGNORE as insert does.
– MikeT
Nov 19 '18 at 4:58
uhhm, I wouldn't necessarily recommend. It's not as if a bolt of lightning will come down from above and strike you down. Personally I'd use the convenience methods (not execSQL/rawQuery) mainly because they, once you get the gist of them, are generally simpler to code. However, sometimes you have to, as they do have some limitations.
– MikeT
Nov 19 '18 at 5:00
Ha, I want to avoid the lightning bolts too. Answer upvoted and accepted. Cheers.
– AJW
Nov 19 '18 at 5:02
add a comment |
1
You can use the method insertWithOnConflict(TABLE_NAME,null,contentvalues,SQLiteDatabase.CONFLICT_REPLACE);
Where contenvalues is a ContenValues populated using it's put(column_name,value) method for each value to be inserted.
The code would be along the lines of :-
ContentValues cv = new Contentvalues();
cv.put("_id",the_id);
cv.put("type",the_type);
..... etc
long result = helper.insertWithOnConflict(TABLE_NAME,null,cv,SQliteDatabase.CONFLICT_REPLACE);
- result will be the rowid of the inserted row or -1.
insertWithOnConflict
CONFLICT_REPLACE
P.S. using execSQL as you have, would offer protection from SQL injection as the SQL itself is not subject to user input and the values are bound/passed as arguments.
answered Nov 19 '18 at 4:51
MikeTMikeT
15.8k112642
Ok, will give it a try. What is the advantage to using insertWithOnConflict rather than insert()?
– AJW
Nov 19 '18 at 4:56
Would you still recommend replacing the execSQL() with the ContentValues code?
– AJW
Nov 19 '18 at 4:58
It will do INSERT OR REPLACE (or handle CONFLICT's (not Foreign Key conflicts)) instead of only INSERT OR IGNORE as insert does.
– MikeT
Nov 19 '18 at 4:58
uhhm, I wouldn't necessarily recommend. It's not as if a bolt of lightning will come down from above and strike you down. Personally I'd use the convenience methods (not execSQL/rawQuery) mainly because they, once you get the gist of them, are generally simpler to code. However, sometimes you have to, as they do have some limitations.
– MikeT
Nov 19 '18 at 5:00
Ha, I want to avoid the lightning bolts too. Answer upvoted and accepted. Cheers.
– AJW
Nov 19 '18 at 5:02
add a comment |
1
1
1
You can use the method insertWithOnConflict(TABLE_NAME,null,contentvalues,SQLiteDatabase.CONFLICT_REPLACE);
Where contenvalues is a ContenValues populated using it's put(column_name,value) method for each value to be inserted.
The code would be along the lines of :-
ContentValues cv = new Contentvalues();
cv.put("_id",the_id);
cv.put("type",the_type);
..... etc
long result = helper.insertWithOnConflict(TABLE_NAME,null,cv,SQliteDatabase.CONFLICT_REPLACE);
- result will be the rowid of the inserted row or -1.
insertWithOnConflict
CONFLICT_REPLACE
P.S. using execSQL as you have, would offer protection from SQL injection as the SQL itself is not subject to user input and the values are bound/passed as arguments.
answered Nov 19 '18 at 4:51
MikeTMikeT
15.8k112642
You can use the method insertWithOnConflict(TABLE_NAME,null,contentvalues,SQLiteDatabase.CONFLICT_REPLACE);
Where contenvalues is a ContenValues populated using it's put(column_name,value) method for each value to be inserted.
The code would be along the lines of :-
ContentValues cv = new Contentvalues();
cv.put("_id",the_id);
cv.put("type",the_type);
..... etc
long result = helper.insertWithOnConflict(TABLE_NAME,null,cv,SQliteDatabase.CONFLICT_REPLACE);
- result will be the rowid of the inserted row or -1.
insertWithOnConflict
CONFLICT_REPLACE
P.S. using execSQL as you have, would offer protection from SQL injection as the SQL itself is not subject to user input and the values are bound/passed as arguments.
answered Nov 19 '18 at 4:51
MikeTMikeT
15.8k112642
answered Nov 19 '18 at 4:51
MikeTMikeT
15.8k112642
answered Nov 19 '18 at 4:51
MikeTMikeT
15.8k112642
answered Nov 19 '18 at 4:51
MikeTMikeT
15.8k112642
15.8k112642
Ok, will give it a try. What is the advantage to using insertWithOnConflict rather than insert()?
– AJW
Nov 19 '18 at 4:56
Would you still recommend replacing the execSQL() with the ContentValues code?
– AJW
Nov 19 '18 at 4:58
It will do INSERT OR REPLACE (or handle CONFLICT's (not Foreign Key conflicts)) instead of only INSERT OR IGNORE as insert does.
– MikeT
Nov 19 '18 at 4:58
uhhm, I wouldn't necessarily recommend. It's not as if a bolt of lightning will come down from above and strike you down. Personally I'd use the convenience methods (not execSQL/rawQuery) mainly because they, once you get the gist of them, are generally simpler to code. However, sometimes you have to, as they do have some limitations.
– MikeT
Nov 19 '18 at 5:00
Ha, I want to avoid the lightning bolts too. Answer upvoted and accepted. Cheers.
– AJW
Nov 19 '18 at 5:02
add a comment |
Ok, will give it a try. What is the advantage to using insertWithOnConflict rather than insert()?
– AJW
Nov 19 '18 at 4:56
Would you still recommend replacing the execSQL() with the ContentValues code?
– AJW
Nov 19 '18 at 4:58
It will do INSERT OR REPLACE (or handle CONFLICT's (not Foreign Key conflicts)) instead of only INSERT OR IGNORE as insert does.
– MikeT
Nov 19 '18 at 4:58
uhhm, I wouldn't necessarily recommend. It's not as if a bolt of lightning will come down from above and strike you down. Personally I'd use the convenience methods (not execSQL/rawQuery) mainly because they, once you get the gist of them, are generally simpler to code. However, sometimes you have to, as they do have some limitations.
– MikeT
Nov 19 '18 at 5:00
Ha, I want to avoid the lightning bolts too. Answer upvoted and accepted. Cheers.
– AJW
Nov 19 '18 at 5:02
Ok, will give it a try. What is the advantage to using insertWithOnConflict rather than insert()?
– AJW
Nov 19 '18 at 4:56
Ok, will give it a try. What is the advantage to using insertWithOnConflict rather than insert()?
– AJW
Nov 19 '18 at 4:56
Would you still recommend replacing the execSQL() with the ContentValues code?
– AJW
Nov 19 '18 at 4:58
Would you still recommend replacing the execSQL() with the ContentValues code?
– AJW
Nov 19 '18 at 4:58
It will do INSERT OR REPLACE (or handle CONFLICT's (not Foreign Key conflicts)) instead of only INSERT OR IGNORE as insert does.
– MikeT
Nov 19 '18 at 4:58
It will do INSERT OR REPLACE (or handle CONFLICT's (not Foreign Key conflicts)) instead of only INSERT OR IGNORE as insert does.
– MikeT
Nov 19 '18 at 4:58
uhhm, I wouldn't necessarily recommend. It's not as if a bolt of lightning will come down from above and strike you down. Personally I'd use the convenience methods (not execSQL/rawQuery) mainly because they, once you get the gist of them, are generally simpler to code. However, sometimes you have to, as they do have some limitations.
– MikeT
Nov 19 '18 at 5:00
uhhm, I wouldn't necessarily recommend. It's not as if a bolt of lightning will come down from above and strike you down. Personally I'd use the convenience methods (not execSQL/rawQuery) mainly because they, once you get the gist of them, are generally simpler to code. However, sometimes you have to, as they do have some limitations.
– MikeT
Nov 19 '18 at 5:00
Ha, I want to avoid the lightning bolts too. Answer upvoted and accepted. Cheers.
– AJW
Nov 19 '18 at 5:02
Ha, I want to avoid the lightning bolts too. Answer upvoted and accepted. Cheers.
– AJW
Nov 19 '18 at 5:02
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53368244%2fandroid-how-do-i-replace-sqlite-execsql-to-avoid-injection-attack%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
