Search code examples
androidsql-injectionandroid-contentprovider

SQL Injection when use ContentProvider

I have developed an application and I also published it to google play. But it was rejected because it is using a content provider that contains a SQL Injection vulnerability.
I checked the provider java file and I don’t know how to fix it! This is the Contentprovider code:

enter image description here

What should I do to fix it?

Solution

  • Protecting your code from SQL injection vulnerabilities when you use a QueryBuilder is tricky and subtle.

    Briefly, you must make sure that your code and only your code controls the parts of the query like selection, projection, and sort order, which are used to build the final query. You must not allow any untrusted content to be used for parts of your query.

    Here's an article about SQL injection in content providers, that gives examples of how untrusted content can cause SQL injection vulnerabilities, and goes into more detail specific to Android development:

    https://solidgeargroup.com/sql-injection-in-content-providers-of-android-and-how-to-be-protected

    The TL;DR of it is:

    • Projection: check if the fields to query (name, size, format in the example above) exist in the table we want to get the data from.

    • Selection: use query parameterized methods.