Skip to main content

Insecure Use of SQL Queries

Why is this important?

SQL injections are dangerous because they can be easily identified by attackers. Hackers can use SQL injections to read from and sometimes even write to your database. SQL injections are very common and have been the cause of many high-profile breaches.

Check out this video for a high-level explanation:

SQL Injection Explanation Video

Fixing Insecure Use of SQL Queries

Option A: Use Prepared Statements Securely

  1. Go through the issues that GuardRails identified in the PR.

  2. Look for insecure patterns like this:

    String query = "SELECT * FROM  messages WHERE uid= '"+userInput+"'" ;
    Cursor cursor = this.getReadableDatabase().rawQuery(query,null);
  3. Replace it with the following:

    String query = "SELECT * FROM  messages WHERE uid= ?" ;
    Cursor cursor = this.getReadableDatabase().rawQuery(query,new String[] {userInput});
  4. Test it

  5. Ship it 🚢 and relax 🌴

More information: