Reputation: 109
Input parameter sanitization in android for avoiding vulnerabilities
Recently while source code audit of my android application auditors have raised few points like path manipulation, privacy violation attacks?
I have been searching for proper solutions since last few days but couldn't find any fruitful solution. Please provide me solutions for below queries.
1. File f = new File("filepath");
how to prevent attacker from manipulating filepath ?
2. private void selectDataFromDB(String param1,String param2){
sqlitedatabase.query("Select * from tbl1 where col1 LIKE ? and colu2 LIKE ?",new String[]{param1,param2});
}
how to validate parameters such that attacker cannot change this parameter ? Input sanitization ? How to apply it?
Edit1:
The method selectDataFromDB() in MyActivity.java mishandles confidential information, which can compromise user privacy and is often illegal.
Upvotes: 0
Views: 1034
Answers (1)
Reputation: 562931
They proposed me to apply input sanitization.
You don't need to sanitize inputs when you use query parameters. That's one of the best reasons to use parameterized SQL statements. It's not possible for the value of a query parameter to change the SQL syntax.
It's possible that your auditors don't understand how SQL injection works.
Upvotes: 0
Related Questions
- android: how do I replace SQLite execSQL() to avoid injection attack?
- how to prevent sql injection attack in android?
- What makes an Android application vulnerable to SQL Injection?
- How should I sanitize database input in Java?
- Sanitizing sqlite statements
- Should I sanitize the input for android
- Android - Loading parameterized query - How to encode properly
- Android user input sanitization for web service call
- Sanitizing databases
- Safe user input