• Skip to main content
  • Skip to footer

B4X

Develop Android, iOS and IoT applications

  • Home
  • Products
    • B4A (Android)
    • B4i (iOS)
    • B4J (Desktop)
    • B4R (Arduino)
  • Showcase
  • Store
  • Learn
    • General
    • Guides
    • Video Tutorials
    • Glossary
  • Teach
  • Blog
  • Community
A B C D F G H J M N Q S T U X

All

SQL Injection

SQL Injection is a common vulnerability, where a specifically crafted user input is executed by the SQL engine. It is one of the most common vulnerabilities.

Example of vulnerable code that checks the user password:

Dim count As Int = SQL.ExecuteQuerySingleResult("SELECT count(*) WHERE password = '" & EditText1.Text & '")
If count > 0 Then
 Log("Welcome authenticated user!")
End If

A user can enter: ‘ or ‘a’ = ‘a. This results in the following WHERE clause: password = ” or ‘a’ = ‘a’. It will match all records.
Another problem with this code is that the code will break if the input includes an apostrophe.

As the solution is so simple, there is really no excuse to write such code. Correct code:

Dim count As Int = SQL.ExecuteQuerySingleResult2("SELECT count(*) WHERE password = ?", Array As String(EditText1.Text))
If count > 0 Then
 Log("Welcome authenticated user!")
End If

The SQL engine will treat the user input as a single parameter value. No need to escape anything and no need to worry from SQL injections.
Simple and safe.

https://xkcd.com/327/

Written by Erel Uziel

Footer

Top

  • Home
  • Products
    • B4A (Android)
    • B4i (iOS)
    • B4J (Desktop)
    • B4R (Arduino)
  • Showcase
  • Store
  • Learn
    • General
    • Guides
    • Video Tutorials
    • Glossary
  • Teach
  • Blog
  • Community

About us

Follow us:

Latest Versions

B4A v13.30 (changelog)
B4i v8.90 (changelog)
B4J v10.2 (changelog)
B4R v4.00 (changelog)

Contact Us

support@basic4ppc.com
Privacy Policy
Accessibility Statement

Copyright © 2025 · Anywhere Software. Android is a trademark of Google Inc. iOS is a registered trademark of Apple. Arduino is a trademark of Arduino. Java is a trademark of Oracle.