Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 17aa1b7a authored by Makoto Onuki's avatar Makoto Onuki
Browse files

Add SQLiteDatabase.validateSql() 

This API checks the SQL syntax by compiling it.  This is useful to
detect SQL injection, for example.

Change-Id: I956548a34f664950246856966e5601dcac3daf00
parent 5ad34c3e

api/current.txt

+1 −0
Original line number Diff line number Diff line
@@ -10596,6 +10596,7 @@ package android.database.sqlite { 
    method public void setVersion(int);

    method public int update(java.lang.String, android.content.ContentValues, java.lang.String, java.lang.String[]);

    method public int updateWithOnConflict(java.lang.String, android.content.ContentValues, java.lang.String, java.lang.String[], int);

    method public void validateSql(java.lang.String, android.os.CancellationSignal);

    method public deprecated boolean yieldIfContended();

    method public boolean yieldIfContendedSafely();

    method public boolean yieldIfContendedSafely(long);

api/system-current.txt

+1 −0
Original line number Diff line number Diff line
@@ -10943,6 +10943,7 @@ package android.database.sqlite { 
    method public void setVersion(int);

    method public int update(java.lang.String, android.content.ContentValues, java.lang.String, java.lang.String[]);

    method public int updateWithOnConflict(java.lang.String, android.content.ContentValues, java.lang.String, java.lang.String[], int);

    method public void validateSql(java.lang.String, android.os.CancellationSignal);

    method public deprecated boolean yieldIfContended();

    method public boolean yieldIfContendedSafely();

    method public boolean yieldIfContendedSafely(long);

api/test-current.txt

+1 −0
Original line number Diff line number Diff line
@@ -10596,6 +10596,7 @@ package android.database.sqlite { 
    method public void setVersion(int);

    method public int update(java.lang.String, android.content.ContentValues, java.lang.String, java.lang.String[]);

    method public int updateWithOnConflict(java.lang.String, android.content.ContentValues, java.lang.String, java.lang.String[], int);

    method public void validateSql(java.lang.String, android.os.CancellationSignal);

    method public deprecated boolean yieldIfContended();

    method public boolean yieldIfContendedSafely();

    method public boolean yieldIfContendedSafely(long);

core/java/android/database/sqlite/SQLiteDatabase.java

+17 −0
Original line number Diff line number Diff line
@@ -16,6 +16,8 @@ 


package android.database.sqlite;



import android.annotation.NonNull;

import android.annotation.Nullable;

import android.content.ContentValues;

import android.database.Cursor;

import android.database.DatabaseErrorHandler;
@@ -1682,6 +1684,21 @@ public final class SQLiteDatabase extends SQLiteClosable { 
        }

    }



    /**

     * Verifies that a SQL SELECT statement is valid by compiling it.

     * If the SQL statement is not valid, this method will throw a {@link SQLiteException}.

     *

     * @param sql SQL to be validated

     * @param cancellationSignal A signal to cancel the operation in progress, or null if none.

     * If the operation is canceled, then {@link OperationCanceledException} will be thrown

     * when the query is executed.

     * @throws SQLiteException if {@code sql} is invalid

     */

    public void validateSql(@NonNull String sql, @Nullable CancellationSignal cancellationSignal) {

        getThreadSession().prepare(sql,

                getThreadDefaultConnectionFlags(/* readOnly =*/ true), cancellationSignal, null);

    }



    /**

     * Returns true if the database is opened as read only.

     *

core/java/android/database/sqlite/SQLiteQueryBuilder.java

+1 −12
Original line number Diff line number Diff line
@@ -386,8 +386,7 @@ public class SQLiteQueryBuilder 
            // in both the wrapped and original forms.

            String sqlForValidation = buildQuery(projectionIn, "(" + selection + ")", groupBy,

                    having, sortOrder, limit);

            validateQuerySql(db, sqlForValidation,

                    cancellationSignal); // will throw if query is invalid

            db.validateSql(sqlForValidation, cancellationSignal); // will throw if query is invalid

        }



        String sql = buildQuery(
@@ -403,16 +402,6 @@ public class SQLiteQueryBuilder 
                cancellationSignal); // will throw if query is invalid

    }



    /**

     * Verifies that a SQL SELECT statement is valid by compiling it.

     * If the SQL statement is not valid, this method will throw a {@link SQLiteException}.

     */

    private void validateQuerySql(SQLiteDatabase db, String sql,

            CancellationSignal cancellationSignal) {

        db.getThreadSession().prepare(sql,

                db.getThreadDefaultConnectionFlags(true /*readOnly*/), cancellationSignal, null);

    }



    /**

     * Construct a SELECT statement suitable for use in a group of

     * SELECT statements that will be joined through UNION operators