问题的引出
说到SQL注入,我们常说不使用字符串拼接,使用带占位符的参数化查询可以防SQL注入,那么,在Android content provider中是否也一样呢?下面我们来看一段android contentprovider中的数据库查询代码示例:
public void showBooks(View view) {
String content = "";
Uri bookUri = BookProvider.BOOK_CONTENT_URI;
String _id = "3";
String name = "Android";
Cursor bookCursor = getContentResolver().query(bookUri, new String[]{"_id", "name"}, "_id=? and name=?",
new String[] {_id, name}, null, null);
if (bookCursor != null) {
while (bookCursor.moveToNext()) {
Book book = new Book();
book.bookId = bookCursor.getInt(0);
book.bookName = bookCursor.getString(1);
content += book.toString() + "\n";
Log.e(TAG, "query book: " + book.toString());
mTvShowBooks.setText(content);
}
bookCursor.close();
}
}
其中的查询语句用sql语句表示为:
select _id,name from book where _id= ? and name = ?
理论上,这条语句是不应该存在sql注入的。但是,当使用如下drozer命令对selection进行注入时,发现是存在SQL注入的: