Skip main navigation
We use cookies to give you a better experience, if that’s ok you can close this message and carry on browsing. For more info read our cookies policy.
We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Fixing the SQL vulnerability

Fortify shows there are SQL injection vulnerabilities in DBclass.java.

We will concentrate on the vulnerability in the searchpass() method, as this is the one we exploited.

As you can see, BuggyTheApp uses the user input to generate a query without performing any checking on what the user enters. This is how we were able to attack Buggy!

Parameterised SQL queries

To solve this we can use a parameterised SQL query, where the user input is always treated as data, never as commands.

Parameterised queries use placeholders which will be replaced by user input when the query is sent to the database. These placeholders (parameters) can only bind to data.

This means the code is able to tell the database exactly which are the SQL commands (specified by the app code), and which are the data (user supplied values). This will prevent the database from treating data as SQL commands.

Fixing BuggyTheApp

Using the recommendations from Audit Workbench we can fix searchpass() as follows:

//Buggy code commented out
//String searchquery="select * from "+DATABASE_TABLE+" where username ='"+loginUsername+"' and password='"+loginpass+"';";
//Cursor cursor=db.rawQuery(searchquery,null);

//::FIXED CODE::
Cursor cursor=db.rawQuery("select * from "+DATABASE_TABLE+" where "+ "username=? and password=?",
                          new String [] {loginUsername, loginpass});

We can now use Fortify to check that our fix actually works!

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton

Contact FutureLearn for Support