Skip main navigation
We use cookies to give you a better experience, if that’s ok you can close this message and carry on browsing. For more info read our cookies policy.
We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Input validation

SQL injection attacks are a special case of a more general type of attack.

Whenever a program, be that an Android app, a web server, or some other kind of system, takes input from the outside world, an attacker may try to exploit this to attack the system.

By carefully crafting a malicious input, an attacker may be able to get the system to do something that the designer did not intend. This could involve access to sensitive data, but equally it could result in real physical damage, or possibly even serious injuries or fatalities (remember the Jeep Cherokee hack in week 1!).

Input validation

It is therefore vitally important that a program always:

  1. carefully checks all inputs for dangerous values, or

  2. enforces strong restrictions on how the inputs are used.

The parameterised query that we used to fix BuggyTheApp is an example of the latter approach.

Enforcing strong restrictions on how user inputs are used is the preferred solution, as correctly filtering out dangerous values can be hard to get right and error prone.

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton

Contact FutureLearn for Support