Recipe Name:
SQL Injection: SQLiteDatabase#query - 3rd parameter
Description:
This query could lead to SQL injection
Level:
error
Language:
  • java
Tags:
  • security
  • framework specific
  • mobile
  • injection
  • Android
  • SQL
  • OWASP Top 10
Documentation

Out of Android best practices and secure coding guidelines, recommendations were abstracted which state that queries need to be parametrized. Concatenation of parameters is highly discouraged.

A parametrized query needs to be built first. Next, the parameter variables should be added. The following functions are available and are in line with Android best practices. These functions can be used to execute queries against the database. It is highly discouraged to use the method buildQuery as it does not lend itself to be used correctly. It is highly encouraged to use true parameterized queries instead of the appendWhereEscapeString() method.

Class information:
package android.database.sqlite.SQLiteDatabase;
    public SQLiteStatement compileStatement(String sql);
package android.database.sqlite.SQLiteProgram;
    public void bindString(int index, String value);
package android.database.sqlite.SQLiteStatement;
    public void execute();
Correct code example:
import android.database.sqlite.*;
...
SQLiteDatabase  sampleDB;
String sqlQuery = "INSERT INTO db (id, name) VALUES (?,?)";
SQLiteStatement sqlStmt = sampleDB.compileStatement(sqlQuery);
sqlStmt.bindString(1, id);
sqlStmt.bindString(2, name);
sqlStmt.execute();
Recipe
id: scw:android:SQLite-sqli-3rd-parameter
version: 10
metadata:
  name: 'SQL Injection: SQLiteDatabase#query - 3rd parameter'
  shortDescription: This query could lead to SQL injection
  level: error
  language: java
  scwCategory: injection:sql
  cweCategory: 89
  enabled: true
  comment: ""
  descriptionFile: descriptions/java_android_secure_database_queries.html
  tags: security;framework specific;mobile;injection;Android;SQL;OWASP Top 10
search:
  methodcall:
    args:
      3:
        type: java.lang.String
        value:
          containsUntrustedInput: true
      4:
        type: java.lang.String[]
    name:
      anyOf:
      - is: query
      - is: update
      - is: updateWithOnConflict
    type: android.database.sqlite.SQLiteDatabase
availableFixes:
- name: Parameterize the query
  actions:
  - parameterize:
      placeholderFormat: '?'