Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 17aa1b7ac799e308e3724f8c4170620c846dcc09^! / . / core
commit17aa1b7ac799e308e3724f8c4170620c846dcc09[log] [tgz]
authorMakoto Onuki <omakoto@google.com>Wed Dec 16 14:02:01 2015 -0800
committerMakoto Onuki <omakoto@google.com>Wed Dec 16 14:18:28 2015 -0800
tree904c361ff2f32cd36d239d49b78b817161492c9c
parent5ad34c3e5b2328d1dbecfb83c69f3fe44b9ff832 [diff]
Add SQLiteDatabase.validateSql()

This API checks the SQL syntax by compiling it.  This is useful to
detect SQL injection, for example.

Change-Id: I956548a34f664950246856966e5601dcac3daf00

diff --git a/core/java/android/database/sqlite/SQLiteDatabase.java b/core/java/android/database/sqlite/SQLiteDatabase.java
index 433d5d1c..50e7356 100644
--- a/core/java/android/database/sqlite/SQLiteDatabase.java
+++ b/core/java/android/database/sqlite/SQLiteDatabase.java

@@ -16,6 +16,8 @@
 
 package android.database.sqlite;
 
+import android.annotation.NonNull;
+import android.annotation.Nullable;
 import android.content.ContentValues;
 import android.database.Cursor;
 import android.database.DatabaseErrorHandler;
@@ -1683,6 +1685,21 @@
     }
 
     /**
+     * Verifies that a SQL SELECT statement is valid by compiling it.
+     * If the SQL statement is not valid, this method will throw a {@link SQLiteException}.
+     *
+     * @param sql SQL to be validated
+     * @param cancellationSignal A signal to cancel the operation in progress, or null if none.
+     * If the operation is canceled, then {@link OperationCanceledException} will be thrown
+     * when the query is executed.
+     * @throws SQLiteException if {@code sql} is invalid
+     */
+    public void validateSql(@NonNull String sql, @Nullable CancellationSignal cancellationSignal) {
+        getThreadSession().prepare(sql,
+                getThreadDefaultConnectionFlags(/* readOnly =*/ true), cancellationSignal, null);
+    }
+
+    /**
      * Returns true if the database is opened as read only.
      *
      * @return True if database is opened as read only.

diff --git a/core/java/android/database/sqlite/SQLiteQueryBuilder.java b/core/java/android/database/sqlite/SQLiteQueryBuilder.java
index 91884ab..56cba79 100644
--- a/core/java/android/database/sqlite/SQLiteQueryBuilder.java
+++ b/core/java/android/database/sqlite/SQLiteQueryBuilder.java

@@ -386,8 +386,7 @@
             // in both the wrapped and original forms.
             String sqlForValidation = buildQuery(projectionIn, "(" + selection + ")", groupBy,
                     having, sortOrder, limit);
-            validateQuerySql(db, sqlForValidation,
-                    cancellationSignal); // will throw if query is invalid
+            db.validateSql(sqlForValidation, cancellationSignal); // will throw if query is invalid
         }
 
         String sql = buildQuery(
@@ -404,16 +403,6 @@
     }
 
     /**
-     * Verifies that a SQL SELECT statement is valid by compiling it.
-     * If the SQL statement is not valid, this method will throw a {@link SQLiteException}.
-     */
-    private void validateQuerySql(SQLiteDatabase db, String sql,
-            CancellationSignal cancellationSignal) {
-        db.getThreadSession().prepare(sql,
-                db.getThreadDefaultConnectionFlags(true /*readOnly*/), cancellationSignal, null);
-    }
-
-    /**
      * Construct a SELECT statement suitable for use in a group of
      * SELECT statements that will be joined through UNION operators
      * in buildUnionQuery.