我的代码由程序扫描,警告出来
Android应用中的SQL注入漏洞
调查结果
The Android app was found to have SQL injection vulnerability; attackers could submit crafted request to manipulate the database查询/命令。
This code uses concatenated query in sql statement which is prone to sqlite injection. Suggest using parameterized query instead.
我已经在查询语句中使用了绑定。是原生的SQLiteDataBase.query还不足以阻止SQL注入吗?
这是我的代码
public class TypeModel implements DataBaseConstant{
private SQLiteDatabase r_db;
public TypeModel(Context context) {
// Get the Singleton database from static method
this.r_db = DataBase.getInstance(context).getWritableDatabase();
}
public void addType(int id , ArrayMap<String,String> nameMap){
for(String key : nameMap.keySet()){
ContentValues mType = new ContentValues();
mType.put(TypeConstant.ID, id);
mType.put(TypeConstant.LANG,key);
mType.put(TypeConstant.NAME,nameMap.get(key));
this.r_db.insert(HadDataBaseConstant.HOTEL_TYPE_TABLE, null, mType);
}
}
public boolean isExist(int id){
String[] m_columns = {
TypeConstant.ID
};
String whereClause = TypeConstant.ID+" = ? ";
String[] whereArgs = new String[] {
String.valueOf(id)
};
Cursor cursor = this.r_db .query(HOTEL_TYPE_TABLE, m_columns, whereClause, whereArgs, null, null, null);
while(cursor.moveToNext()){
cursor.close();
return true;
}
cursor.close();
return false;
}
public ArrayList<Integer> search(String whereClause, String[] whereArgs ){
ArrayList<Integer> childList = new ArrayList<Integer>();
String[] m_columns = {
TypeConstant.ID
};
Cursor cursor =null;
try{
cursor = this.r_db .query(true,HOTEL_TYPE_TABLE, m_columns, whereClause, whereArgs, null, null, null,null);
while(cursor.moveToNext()){
int childId = cursor.getInt(0);
childList.add(childId);
}
}finally{
if( cursor!=null )
cursor.close();
}
return childList;
}
public ArrayMap<String,String> getType(int id){
ArrayMap<String,String> nameMap = new ArrayMap<String,String>();
String[] m_columns = {
TypeConstant.LANG,
TypeConstant.NAME
};
String whereClause = TypeConstant.ID+" = ? ";
String[] whereArgs = new String[] {
String.valueOf(id)
};
Cursor cursor = null;
try{
cursor = this.r_db .query(HOTEL_TYPE_TABLE, m_columns, whereClause, whereArgs, null, null, null);
while(cursor.moveToNext()){
String lang = cursor.getString(0);
String name = cursor.getString(1);
nameMap.put(lang,name);
}
}finally{
if( cursor!=null )
cursor.close();
}
return nameMap;
}
}
该程序有一些参考
OWASP指南,http://www.owasp.org/index.php/Unvalidated_Input OWASP指南,https://www.owasp.org/index.php/SQL_Injection数据 验证, https://www.owasp.org/index.php/Data_Validation#Delimiter_and_special_characters Unixwiz.net技术提示, http://www.unixwiz.net/techtips/sql-injection.html