Android Tutorial Protect your Database against SQL Injection

Discussion in 'Tutorials & Examples' started by wonder, Jun 16, 2015.

  1. wonder

    wonder Expert Licensed User

    Hi guys!

    This might not the sexiest nor the most elegant piece of code, but it works for me.
    Hopefully, someone will find it useful... :)

    SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

    Sub InjectionSafe(input As StringAs Boolean
    If _
    " ") _
    OR input.Contains(";") _
    OR input.Contains("'") _
    OR input.Contains(Chr(0x0022)) _
    OR input.Contains(Chr(0x0027)) _
    OR input.Contains(Chr(0x00AB)) _
    OR input.Contains(Chr(0x00BB)) _
    OR input.Contains(Chr(0x2018)) _
    OR input.Contains(Chr(0x2019)) _
    OR input.Contains(Chr(0x201A)) _
    OR input.Contains(Chr(0x201B)) _
    OR input.Contains(Chr(0x201C)) _
    OR input.Contains(Chr(0x201D)) _
    OR input.Contains(Chr(0x201E)) _
    OR input.Contains(Chr(0x201F)) _
    OR input.Contains(Chr(0x2039)) _
    OR input.Contains(Chr(0x203A)) _
    OR input.Contains(Chr(0x300C)) _
    OR input.Contains(Chr(0x300D)) _
    OR input.Contains(Chr(0x300E)) _
    OR input.Contains(Chr(0x300F)) _
    OR input.Contains(Chr(0x301D)) _
    OR input.Contains(Chr(0x301E)) _
    OR input.Contains(Chr(0x301F)) _
    OR input.Contains(Chr(0xFE41)) _
    OR input.Contains(Chr(0xFE42)) _
    OR input.Contains(Chr(0xFE43)) _
    OR input.Contains(Chr(0xFE44)) _
    OR input.Contains(Chr(0xFF02)) _
    OR input.Contains(Chr(0xFF07)) _
    OR input.Contains(Chr(0xFF62)) _
    OR input.Contains(Chr(0xFF63)) _
    Return False
    Return True
    End If
    End Sub

    'Imagine the user enters their username into a text box named "user_input"
    If InjectionSafe(user_input.text) Then
    End If
    Last edited: Jun 16, 2015
  2. Erel

    Erel Administrator Staff Member Licensed User

    Parameterized queries are also safe (SQL.ExecQuery2, ExecNonQuery2).
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice