避免类似查询的SQL注入的Android SQLite的
问题描述:
我尝试使用休耕避免类似查询的SQL注入的Android SQLite的
Cursor cursor = sqLiteDatabase.rawQuery(
"SELECT * FROM "
+ TableInformation.TABLE_NAME
+ " LEFT OUTER JOIN "
+ FavouritesItems.TableInformation.TABLE_NAME
+ " ON "
+ FavouritesItems.TableInformation.TABLE_NAME + "." + FavouritesItems.TableInformation.FAVOURITE_ITEM_ID
+ " = "
+ TableInformation.TABLE_NAME + "." + TableInformation.ITEM_ID
+ " WHERE 1 = 1"
+ (itemSearch.getItemDescription().length() > 0 ? " AND " + TableInformation.ITEM_DESCRIPTION + " LIKE %" + "?" + "% " : "")
+ (itemSearch.getItemDescriptionEn().length() > 0 ? " AND " + TableInformation.ITEM_DESCRIPTION_EN + " LIKE '%" + "?" + "%' " : "")
, mySQLStatementStrings);
做一个搜索方法在我的SQLite数据库,但是当我编译它抛出休耕异常,因为编译器不能找到问题标记为'%'%'
FATAL EXCEPTION: main
Process: com.shamisoft.myjewelaryshopproject, PID: 18398
java.lang.IllegalArgumentException: Cannot bind argument at index 1 because the index is out of range. The statement has 0 parameters.
at android.database.sqlite.SQLiteProgram.bind(SQLiteProgram.java:212)
at android.database.sqlite.SQLiteProgram.bindString(SQLiteProgram.java:166)
at android.database.sqlite.SQLiteProgram.bindAllArgsAsStrings(SQLiteProgram.java:200)
at android.database.sqlite.SQLiteDirectCursorDriver.query(SQLiteDirectCursorDriver.java:47)
at android.database.sqlite.SQLiteDatabase.rawQueryWithFactory(SQLiteDatabase.java:1316)
at android.database.sqlite.SQLiteDatabase.rawQuery(SQLiteDatabase.java:1255)
at com.shamisoft.myjewelaryshopproject.classes.Items.getItemsSearch2(Items.java:705)
at com.shamisoft.myjewelaryshopproject.classes.SearchItemCustomDialog$1.onClick(SearchItemCustomDialog.java:103)
at android.view.View.performClick(View.java:4781)
at android.view.View$PerformClick.run(View.java:19874)
at android.os.Handler.handleCallback(Handler.java:739)
at android.os.Handler.dispatchMessage(Handler.java:95)
at android.os.Looper.loop(Looper.java:135)
at android.app.ActivityThread.main(ActivityThread.java:5254)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:902)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:697)
问题是如何避免SQL注入在这种情况下?
答
在一个字符串中,?
只是一个普通字符。
要用作参数的字符串值在SQL中以单独的字符串值结尾。如果需要的话,你可以结合如果与其他字符串:
... WHERE ...
AND (Description LIKE '%' || ? || '%' OR
Description_EN LIKE '%' || ? || '%')
你必须添加'?'来显示它添加参数的位置。你传递一个参数但没有地方添加那些,因此它会抛出一个异常 – Zoe
?标记在这里后像word (itemSearch.getItemDescription()。length()> 0?“AND”+ TableInformation.ITEM_DESCRIPTION +“LIKE%”+“?”+“%”:“”) –
现在我意识到不是问题。问题是形成不良的SQL查询。 '> 0?'不是一个好的SQL查询(或者对此有效的) – Zoe