您的位置: 首页  >  技术问答  >  避免类似查询的SQL注入的Android SQLite的

避免类似查询的SQL注入的Android SQLite的

分类: 技术问答 2022-04-02 22:25:10

避免类似查询的SQL注入的Android SQLite的

问题描述:

我尝试使用休耕避免类似查询的SQL注入的Android SQLite的

Cursor cursor = sqLiteDatabase.rawQuery(
       "SELECT * FROM " 
         + TableInformation.TABLE_NAME 
         + " LEFT OUTER JOIN " 
         + FavouritesItems.TableInformation.TABLE_NAME 
         + " ON " 
         + FavouritesItems.TableInformation.TABLE_NAME + "." + FavouritesItems.TableInformation.FAVOURITE_ITEM_ID 
         + " = " 
         + TableInformation.TABLE_NAME + "." + TableInformation.ITEM_ID 
         + " WHERE 1 = 1" 
         + (itemSearch.getItemDescription().length() > 0 ? " AND " + TableInformation.ITEM_DESCRIPTION + " LIKE %" + "?" + "% " : "") 
         + (itemSearch.getItemDescriptionEn().length() > 0 ? " AND " + TableInformation.ITEM_DESCRIPTION_EN + " LIKE '%" + "?" + "%' " : "") 
         , mySQLStatementStrings);

做一个搜索方法在我的SQLite数据库,但是当我编译它抛出休耕异常,因为编译器不能找到问题标记为'%'%'

FATAL EXCEPTION: main 
                       Process: com.shamisoft.myjewelaryshopproject, PID: 18398 
                       java.lang.IllegalArgumentException: Cannot bind argument at index 1 because the index is out of range. The statement has 0 parameters. 
                        at android.database.sqlite.SQLiteProgram.bind(SQLiteProgram.java:212) 
                        at android.database.sqlite.SQLiteProgram.bindString(SQLiteProgram.java:166) 
                        at android.database.sqlite.SQLiteProgram.bindAllArgsAsStrings(SQLiteProgram.java:200) 
                        at android.database.sqlite.SQLiteDirectCursorDriver.query(SQLiteDirectCursorDriver.java:47) 
                        at android.database.sqlite.SQLiteDatabase.rawQueryWithFactory(SQLiteDatabase.java:1316) 
                        at android.database.sqlite.SQLiteDatabase.rawQuery(SQLiteDatabase.java:1255) 
                        at com.shamisoft.myjewelaryshopproject.classes.Items.getItemsSearch2(Items.java:705) 
                        at com.shamisoft.myjewelaryshopproject.classes.SearchItemCustomDialog$1.onClick(SearchItemCustomDialog.java:103) 
                        at android.view.View.performClick(View.java:4781) 
                        at android.view.View$PerformClick.run(View.java:19874) 
                        at android.os.Handler.handleCallback(Handler.java:739) 
                        at android.os.Handler.dispatchMessage(Handler.java:95) 
                        at android.os.Looper.loop(Looper.java:135) 
                        at android.app.ActivityThread.main(ActivityThread.java:5254) 
                        at java.lang.reflect.Method.invoke(Native Method) 
                        at java.lang.reflect.Method.invoke(Method.java:372) 
                        at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:902) 
                        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:697)

问题是如何避免SQL注入在这种情况下?

+0

你必须添加'?'来显示它添加参数的位置。你传递一个参数但没有地方添加那些,因此它会抛出一个异常 – Zoe

+0

?标记在这里后像word (itemSearch.getItemDescription()。length()> 0?“AND”+ TableInformation.ITEM_DESCRIPTION +“LIKE%”+“?”+“%”:“”) –

+0

现在我意识到不是问题。问题是形成不良的SQL查询。 '> 0?'不是一个好的SQL查询(或者对此有效的) – Zoe

在一个字符串中,?只是一个普通字符。

要用作参数的字符串值在SQL中以单独的字符串值结尾。如果需要的话,你可以结合如果与其他字符串:

... WHERE ... 
     AND (Description LIKE '%' || ? || '%' OR 
      Description_EN LIKE '%' || ? || '%')

相关推荐