Active Android is a penchant for SQL injection. Any known solution?

Question

Active Android is a penchant for SQL injection. Any known solution?

Android app already developed using ActiveAndroid

public static List<ModelNames> search(String pattern) {
    return new Select().from(ModelNames.class)
            .where("title LIKE '%" + pattern + "%' or content LIKE '%" + pattern + "%'")
            .orderBy("title")
            .execute();
}

Now it is prone to SQL injection.

Has anyone encountered a similar problem and found a solution, or could someone provide a solution for the same?

Found a github problem but couldn't find the right solution.

+4

android sql-injection sqlite activeandroid

Amol m kulkarni Dec 22 '15 at 9:55

source share

3 answers

, , , usUsername, "us" "". "us" - , sUsername (s "" ). , , s-varaibles .

: http://www.joelonsoftware.com/articles/Wrong.html

question.

+1

sschrass 22 . '15 10:04

, ActiveAndroid ORM.

:

public static List<ModelNames> search(String pattern) {
    return new Select().from(ModelNames.class)
             String pattern = DatabaseUtils.sqlEscapeString(searchBar.getText().toString());
             pattern = pattern.substring(1, pattern.length());
             pattern = pattern.substring(0, pattern.length()-1);
            .where("title LIKE '%" + pattern + "%' or content LIKE '%" + pattern + "%'")
            .orderBy("title")
            .execute();
}

: sqlEscapeString

+1

Amol M Kulkarni 22 . '15 11:04

source share

Gerald schneider · Accepted Answer · 2015-12-22T11:09:20+0000

The examples on the website show how to use placeholders:

public static List<ModelNames> search(String pattern) {
    pattern = "%" + pattern + "%";
    return new Select().from(ModelNames.class)
        .where("title LIKE ? or content LIKE ?", pattern, pattern)
        .orderBy("title")
        .execute();
}

Active Android is a penchant for SQL injection. Any known solution?

More articles: