Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Use Parameterized Methods for Database Access

  
  

Applies To

  • Android applications that query a database.

What to Do

Use parameterized query methods for database access.

Why

Using parameterized query methods for database access prevents SQL injection vulnerabilities.

How

The Android API includes parameterized functions for querying SQLite databases. Avoid using the rawQuery method; it may allow untrusted input to be included in the SQL query string, thus introducing SQL injection vulnerabilities.

Use the following method for SELECT statements:

  • query

Use the following methods for INSERT statements:

  • insert
  • insertOrThrow
  • insertWithOnConflict

Use the following methods for UPDATE statements:

  • update
  • updateWithOnConflict

Use the following method for DELETE statements:

  • delete

If your application uses some other API, please make sure that it uses parameterized methods for database access.

Additional Resources

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics