Android Question Large listview crashes on Android 7

jpvniekerk

jpvniekerk

Active Member
Licensed User
Longtime User
I have an app that crashes on a customer's S8 phone (Android 7) opening a listview that contains a lot (> 1400) of items. A filtered list with < 100 items works fine.
I don't have a device with Android 7, but on Android 6 I don't get the problem at all, so I can't replicate the issue to debug myself.

My code for filling the listview is:
B4X: 
If cur2.IsInitialized Then cur2.Close
If vFavPL = 0 Then
      sqlTxt = "SELECT ID, Name, Manf_ID FROM tblComp WHERE Type = 4 ORDER by Name COLLATE NOCASE"
    Else
      sqlTxt = "SELECT ID, Name, Manf_ID FROM tblComp WHERE Type = 4 AND Fav = 1 ORDER by Name COLLATE NOCASE"
    End If
cur2 = sql1.ExecQuery(sqlTxt)
For i = 0 To cur2.RowCount - 1
    cur2.Position = i
    lvPickList.AddSingleLine2(cur2.GetString("Name") &" ("&getManfAbbr(cur2.GetInt("Manf_ID"))&")",cur2.GetInt("ID"))
Next

If vFavPL = 0 (full list of ~1400 items) app crashes.
If vFavPL = 1 (~100 items) app does not crash.

Any ideas why this might happen?
 
Sort by date Sort by votes
jpvniekerk

jpvniekerk

Active Member
Licensed User
Longtime User
I'm going through my code (almost 20,000 lines!) to safeguard against SQL Injection.
As I understand it, whenever a variable is passed as part of a query, it should be done with parameterized statements (e.g ExecQuery2), otherwise the "standard" statements are OK. To make sure I understand it correctly, please see if the following is correct:
B4X: 
sql1.ExecNonQuery("UPDATE tblRecipeItems SET Percent = "&v14VGAdd&", VG = "&v14VGAdd&" WHERE Comp_ID = 1") ' DANGEROUS
sql1.ExecNonQuery2("UPDATE tblRecipeItems SET Percent = ?, VG = ? WHERE Comp_ID = 1", Array as String(v14VGAdd,v14VGAdd)) ' SAFE
v14tmpPG = sql1.ExecQuerySingleResult("SELECT SUM(PG) FROM tblRecipeItems WHERE Comp_ID <> 2") ' SAFE
v14tmpPG = sql1.ExecQuerySingleResult("SELECT SUM(PG) FROM tblRecipeItems WHERE Comp_ID <> '"&vType&"')" ' DANGEROUS
v14tmpPG = sql1.ExecQuerySingleResult2("SELECT SUM(PG) FROM tblRecipeItems WHERE Comp_ID <> ?",Array as String(vType)) ' SAFE
I don't fully understand the whole issue of SQL Injection, but I'd rather be safe. As my dad used to say "You don't need to understand how an internal combustion engine works, to drive a car". So as long as I am on the right track here, I'm OK with it!
 
Upvote 0
DonManfred

DonManfred

Expert
Licensed User
Longtime User
Upvote 0
netsistemas

netsistemas

Active Member
Licensed User
Longtime User
If VAR have this value:1' or 1='1
or other sentences similar to this: '; delete from tblRecipeItems where '1'='1
What would happen?

This is only a simple idea of sql inyection no real in this case (o yes).

Imagina que la variable vType tiene este valor: 1' or 1='1 (veansé las comillas).
La idea general es añadir un OR 1=1 y pensar en las comillas.
También podrias concatenar algo del estilo:
'; delete from tblRecipeItems where 1='1
Suponiendo que el malvado sepa el nombre de la tabla.... pero podria saberlo.
Es una simple idea de Sql Inyection no real in este caso (o quizás sí).


v14tmpPG = sql1.ExecQuerySingleResult("SELECT SUM(PG) FROM tblRecipeItems WHERE Comp_ID <> '"&vType&"')"
 
Upvote 0
You must log in or register to reply here.

Similar Threads

KZero
  • Article
B4A Library xListview
Replies
18
Views
6K
Xfood
Xfood
A
  • Question
Android Question CustomListView - Transaction too large crash when going to pause.
2
Replies
28
Views
5K
alon
A
Erel
  • Question
Other B4A v7.01 has been released!
2 3
Replies
52
Views
30K
tucano2000
tucano2000
Erel
  • Article
Android Tutorial Large & Searchable List with SearchView + B4XSerializator
2
Replies
25
Views
21K
Erel
Erel
Dave O
  • Article
B4A Class DOTips 2.7 - show an overlay for app tips
2 3
Replies
55
Views
18K
Dave O
Dave O
Top