代码之家  ›  专栏  ›  技术社区  ›  Pradnya Bhagat

如何处理/避免SQLite数据库中的SQL注入

sql-injection sqlite android
  •  0
  • Pradnya Bhagat  · 技术社区  · 8 年前

    我写了一个类EmployeeDAO,所有的功能都很好,但是我从客户端SQL注入攻击中得到了问题,我读到了有关SQL注入和准备好的语句,但是我不知道如何使用准备好的语句来处理/避免SQL注入攻击我的代码中很新,请帮助我。

    employeedao.java类 

      public class EmployeeDAO {

// Database fields
private SQLiteDatabase database;
private EmployeeDatabaseHelper dbHelper;

private String[] allColumns = {
  // all column name
 };

public EmployeeDAO(Context context) {
    dbHelper = new EmployeeDatabaseHelper(context);
}

public void open() throws SQLException {
    database = dbHelper.getWritableDatabase();
}

public void close() {
    dbHelper.close();
}

public void saveEmployeeDetails(Employee employee) {

    try {
        truncateEmployeeDetails();
        ContentValues values = new ContentValues();

        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_AD_ID, CryptoHelper.encrypt(employee.getAdId()));
        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_CODE, CryptoHelper.encrypt(employee.getCode()));
        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_EMAIL, CryptoHelper.encrypt(employee.getEmail()));
        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_FIRST_NAME, CryptoHelper.encrypt(employee.getFirstName()));
        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_GENDER, CryptoHelper.encrypt(employee.getGender()));
        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_PK_ID, CryptoHelper.encrypt(String.valueOf(employee.getId())));
        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_IMEI, CryptoHelper.encrypt(employee.getImei()));
        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_LAST_NAME, CryptoHelper.encrypt(employee.getLastName()));
        values.put(EmployeeContract.EmployeeEntry.COLUMN_NAME_PHONE, CryptoHelper.encrypt(employee.getPhone()));

        database.insert(EmployeeContract.EmployeeEntry.TABLE_NAME, null, values);
    } catch (Exception e) {
        e.printStackTrace();
    }
}

public void truncateEmployeeDetails() {
    database.execSQL("delete from " + EmployeeContract.EmployeeEntry.TABLE_NAME);
}

public Employee getEmployeeDetails() {
    Employee employee = null;
    Cursor cursor = null;
    try {
        cursor = database.query(EmployeeContract.EmployeeEntry.TABLE_NAME,
                allColumns, null, null, null, null, null);

        cursor.moveToFirst();
        employee = cursorToEmployee(cursor);
    } catch (Exception e) {
        e.printStackTrace();
    } finally {
        if (cursor != null)
            cursor.close();
    }
    return employee;
}

private Employee cursorToEmployee(Cursor cursor) {
    Employee employee = new Employee();
    try {
        employee.setAdId(CryptoHelper.decrypt(cursor.getString(1)));
        employee.setCode(CryptoHelper.decrypt(cursor.getString(2)));
        employee.setEmail(CryptoHelper.decrypt(cursor.getString(3)));
        employee.setFirstName(CryptoHelper.decrypt(cursor.getString(4)));
        employee.setGender(CryptoHelper.decrypt(cursor.getString(5)));
        employee.setId(Long.parseLong(CryptoHelper.decrypt(cursor.getString(6))));
        employee.setImei(CryptoHelper.decrypt(cursor.getString(7)));
        employee.setLastName(CryptoHelper.decrypt(cursor.getString(8)));
        employee.setPhone(CryptoHelper.decrypt(cursor.getString(9)));
    } catch (Exception e) {
        e.printStackTrace();
    }

    return employee;
}}
    1 回复  |  直到 8 年前
        1
  •  -1
  •   Pradnya Bhagat    8 年前

    我用准备好的语句解决了它 

    SQLiteStatement sqLiteStatement = database.compileStatement("" +
                        "INSERT INTO " +
                        EmployeeContract.EmployeeEntry.TABLE_NAME +
                        " ( " +
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_AD_ID +
                        "," +
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_CODE +
                        "," +
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_EMAIL +
                        "," +
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_FIRST_NAME +
                        "," +
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_GENDER +
                        "," +
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_PK_ID +
                        "," +
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_IMEI +
                        "," +
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_LAST_NAME +
                        ","+
                        EmployeeContract.EmployeeEntry.COLUMN_NAME_PHONE +
                        " ) " +
                        " VALUES ('" + adId + "','" + code + "', '" + email + "','" + firstName + "','" + gender + "','" + pkId + "','"+ imei+"','"+ lastName +"','"+ phone +"')  ");

        sqLiteStatement.executeInsert();
        sqLiteStatement.close();
    推荐文章
    cagta  ·  如何使用此python脚本避免硬编码sql表达式?
    8 年前
    John  ·  MySQL php查询缺陷
    8 年前
    DavidC  ·  Rails ActiveRecord:如何在jsonb上使用带双引号的绑定变量
    8 年前
    Mori  ·  Azure函数中针对CosmosDB的SQLInjection
    8 年前
    Константин Ковалев  ·  Laravel eloquent selectRaw for SQL注入
    8 年前
    zerocool  ·  数据库中的查询级别
    8 年前
    Arunabh  ·  在不使用预处理语句的情况下摆脱SQL注入
    8 年前
    Michael Pomogajko  ·  为基于时间的盲sqlinjection查找sql查询
    8 年前
    Paul  ·  是节点中的转义函数。js mysql包是否足以安全地查询mysql数据库(无需使用准备好的语句)?
    8 年前
    Web Dev Guy  ·  使用WordPress get\u results()数据库函数是否会阻止sql注入
    8 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号