Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
When coding with databases on the web with say php and mysql you have to sanitize the data before you insert it into the database to make sure someone doesn’t escape quotes etc. Is this necessary in Android and MySQLite? Does it automatically sanitize? Or is it just unnecessary?
1) Yes, reagrdless of platform, you need to sanitize any inputs that comes from untrusted sources (from the user, another system, another app, etc – anything not hardcoded into your application).
2) Yes, you need to do this in Android when accessing a SQLite database (be that directly or through a Content Provider).
3) Sanitizing your inputs before using them in a SQL command to a database is necessary, but it cannot prevent all forms of SQL Injection. The best strategy to prevent this is to make use of Parameterized Queries, which allow the database to distinguish between what is meant to be data and what is meant to be command, so even if a bad input sneaks in and SQL commands appear in the data, the database knows to treat them as data. In standard Java coding, this involves the use of PreparedStatements. In SQLite/Android, you need to use
compileStatementto create your queries with placeholders for the data (what is derived from untrusted input) and usebindStringto set those placeholders.More about this in the excellent OWASP SQL Injection writeup.