0

I've checked the documentation, but I didn't see it address SQL injections. Does the insert() method automatically prevent injections, or must they be prevented manually? Thanks.

Improve this question
4
  • 1
    I think insert() is safe. It's parameterized at least. I don't see how injection is possible with it. But don't take my word for it. Commented Jul 31, 2013 at 19:55
  • That's what I imagined, but it would be more reassuring to find some confirmation one way or another, especially when dealing with vulnerabilities. Commented Jul 31, 2013 at 19:57
  • 3
    If in doubt you can check out the Android source code. Calling insert does create a parameterized query with questionmark placeholders (see SQLIteDatabase.java -> insertWithOnConflict), so yes it should be safe. Commented Jul 31, 2013 at 19:57
  • Thanks @NobuGames. I'll give the source a read through Commented Jul 31, 2013 at 19:59

1 Answer 1

Reset to default
3

Android API calls SQLite native library to bind parameters. So, assuming the prepared statements are correctly written, queries are safe.

Relevant source code:

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.