how to prevent sql injection attack in android?

Question

so i have problems with following code and was wondering if there is any other way of creating and deleting table where table name is taken from user the following code gives error when using " ' " single quote. please help

public void droptable(String tablename) {
    SQLiteDatabase db =this.getWritableDatabase();
    db.execSQL("DROP TABLE IF EXISTS " + tablename);

}
 public void createtable(String tablename)
{
    SQLiteDatabase db = this.getWritableDatabase();
    String query = String.format("CREATE TABLE IF NOT EXISTS %s ( %s INTEGER PRIMARY KEY AUTOINCREMENT , %s TEXT )",tablename,COLUMN0,COLUMN1);
    db.execSQL(query);
}

is there a better way to do this?

Answer 1

Unless your app will export the SQLite database itself, with the user intending to use that SQLite database elsewhere, the user will never see this table except through your app.

That gives you a number of options:

1. Do not use the user-entered value for the table name. Instead, generate a valid table name yourself, and keep a mapping of the generated names and what the user-entered "display name" is for each table.

2. Transform the user-entered value into a valid table name, by removing unsupported characters.

3. Wrap the user-entered value in quotation marks ("%s"), though then you will have problems if the user enters a table name with a quotation mark.

4. Prevent the user from entering an invalid table name, by rejecting non-standard characters as part of your EditText

5. Validate the user-entered value and show an error dialog if they type in something that will result in SQL errors