DataFlow library uses Raw SQL Query

Question

DataFlow library uses Raw SQL Query

Sathishdisys opened this issue 5 years ago · comments

ISSUE_TEMPLATE

DBFlow Version: 4.1.2

Bug or Feature Request:
It is recommended:
1.Sanitize the data before storing to the database, prefer using of character encoding
2. Double up any single quotation marks appearing within user input before incorporating that input into a SQL query.
3. Using of parameterized queries with regular expression is recommended
Description:
There is a potential risk that a Threat Actor can abuse this vulnerability to perform the SQL injection or database enumeration attacks leading information disclosure.

Below files are affected:
com\raizlabs\android\dbflow\sql\language\BaseQueria ble.java com\raizlabs\android\dbflow\structure\database\Andro idDatabase.java com\raizlabs\android\dbflow\structure\database\Andro idDatabaseStatement.java com\raizlabs\android\dbflow\structure\database\Base DatabaseHelper.java

Andrew Grosner · Answer 1 · Mon Feb 15 2021 00:38:27 GMT+0800 (China Standard Time)

These are hardcoded queries that do not take user input. There is no credible risk that I can tell.