Want to keep learning?

This content is taken from the University of Southampton's online course, Secure Android App Development. Join the course to learn more.

Input validation

SQL injection attacks are a special case of a more general type of attack.

Whenever a program, be that an Android app, a web server, or some other kind of system, takes input from the outside world, an attacker may try to exploit this to attack the system.

By carefully crafting a malicious input, an attacker may be able to get the system to do something that the designer did not intend. This could involve access to sensitive data, but equally it could result in real physical damage, or possibly even serious injuries or fatalities (remember the Jeep Cherokee hack in week 1!).

Input validation

It is therefore vitally important that a program always:

  1. carefully checks all inputs for dangerous values, or

  2. enforces strong restrictions on how the inputs are used.

The parameterised query that we used to fix BuggyTheApp is an example of the latter approach.

Enforcing strong restrictions on how user inputs are used is the preferred solution, as correctly filtering out dangerous values can be hard to get right and error prone.

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton