Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 390d51e3 authored by Lee Shombert's avatar Lee Shombert
Browse files

Update ContentProvider documentation 

Bug: 286447115

Update the ContentProvider examples with best practice for guarding
against SQL injection attacks.  Add the same information to
SQLiteQueryBuilder itself.

This only changes documentation.

Test: make ds-docs
Change-Id: Ia05c5ee9e61da4140ea933a3d231c7438597defa
parent 5c61842f

core/java/android/content/ContentProvider.java

+12 −0
Original line number Diff line number Diff line
@@ -1483,6 +1483,12 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall 
        // proper SQL syntax for us.

        SQLiteQueryBuilder qBuilder = new SQLiteQueryBuilder();



        // Guard against SQL injection attacks

        qBuilder.setStrict(true);

        qBuilder.setProjectionMap(MAP_OF_QUERYABLE_COLUMNS);

        qBuilder.setStrictColumns(true);

        qBuilder.setStrictGrammar(true);



        // Set the table we're querying.

        qBuilder.setTables(DATABASE_TABLE_NAME);
@@ -1546,6 +1552,12 @@ public abstract class ContentProvider implements ContentInterface, ComponentCall 
        // proper SQL syntax for us.

        SQLiteQueryBuilder qBuilder = new SQLiteQueryBuilder();



        // Guard against SQL injection attacks

        qBuilder.setStrict(true);

        qBuilder.setProjectionMap(MAP_OF_QUERYABLE_COLUMNS);

        qBuilder.setStrictColumns(true);

        qBuilder.setStrictGrammar(true);



        // Set the table we're querying.

        qBuilder.setTables(DATABASE_TABLE_NAME);

core/java/android/database/sqlite/SQLiteQueryBuilder.java

+9 −0
Original line number Diff line number Diff line
@@ -48,6 +48,15 @@ import java.util.regex.Pattern; 
/**

 * This is a convenience class that helps build SQL queries to be sent to

 * {@link SQLiteDatabase} objects.

 * <p>

 * This class is often used to compose a SQL query from client-supplied fragments.  Best practice

 * to protect against invalid or illegal SQL is to set the following:

 * <ul>

 * <li>{@link #setStrict} true.

 * <li>{@link #setProjectionMap} with the list of queryable columns.

 * <li>{@link #setStrictColumns} true.

 * <li>{@link #setStrictGrammar} true.

 * </ul>

 */

public class SQLiteQueryBuilder {

    private static final String TAG = "SQLiteQueryBuilder";