Info Call to SQLite query API

Description

Improper SQL query construction could lead to SQL injection. An SQL injection attack consists of injecting of an SQL query via the input data from the client to the application

Recommendation

This entry is informative, no recommendations applicable.

Technical details

Method com.google.android.gms.common.util.DbUtils.zza() calling method android.database.sqlite.SQLiteDatabase.execSQL()


    private static varargs void zza(android.database.sqlite.SQLiteDatabase p8, String p9, String[] p10)
    {
        Throwable v0_2;
        Throwable v5 = 0;
        if ((!"table".equals(p9)) && ((!"view".equals(p9)) && (!"trigger".equals(p9)))) {
            v0_2 = 0;
        } else {
            v0_2 = 1;
        }
        com.google.android.gms.common.internal.Preconditions.checkArgument(v0_2);
        android.database.Cursor v2_0 = new String[1];
        v2_0[0] = "name";
        String v4_1 = new String[1];
        v4_1[0] = p9;
        android.database.Cursor v2_1 = p8.query("SQLITE_MASTER", v2_0, "type == ?", v4_1, 0, 0, 0);
        try {
            Throwable v0_6 = com.google.android.gms.common.util.CollectionUtils.setOf(p10);
        } catch (Throwable v0_8) {
            if (v2_1 != null) {
                if (v5 == null) {
                    v2_1.close();
                } else {
                    try {
                        v2_1.close();
                    } catch (Throwable v1_5) {
                        com.google.android.gms.internal.stable.zzk.zza(v5, v1_5);
                    }
                }
            }
            throw v0_8;
        } catch (Throwable v0_7) {
            try {
                throw v0_7;
            } catch (Throwable v1_4) {
                v5 = v0_7;
                v0_8 = v1_4;
            }
        }
        while (v2_1.moveToNext()) {
            Throwable v1_3 = v2_1.getString(0);
            if (!v0_6.contains(v1_3)) {
                p8.execSQL(new StringBuilder(((String.valueOf(p9).length() + 8) + String.valueOf(v1_3).length())).append("DROP ").append(p9).append(" \'").append(v1_3).append("\'").toString());
            }
        }
        if (v2_1 != null) {
            v2_1.close();
        }
        return;
    }

Method com.google.android.gms.common.util.DbUtils.zza() calling method android.database.sqlite.SQLiteDatabase.query()


    private static varargs void zza(android.database.sqlite.SQLiteDatabase p8, String p9, String[] p10)
    {
        Throwable v0_2;
        Throwable v5 = 0;
        if ((!"table".equals(p9)) && ((!"view".equals(p9)) && (!"trigger".equals(p9)))) {
            v0_2 = 0;
        } else {
            v0_2 = 1;
        }
        com.google.android.gms.common.internal.Preconditions.checkArgument(v0_2);
        android.database.Cursor v2_0 = new String[1];
        v2_0[0] = "name";
        String v4_1 = new String[1];
        v4_1[0] = p9;
        android.database.Cursor v2_1 = p8.query("SQLITE_MASTER", v2_0, "type == ?", v4_1, 0, 0, 0);
        try {
            Throwable v0_6 = com.google.android.gms.common.util.CollectionUtils.setOf(p10);
        } catch (Throwable v0_8) {
            if (v2_1 != null) {
                if (v5 == null) {
                    v2_1.close();
                } else {
                    try {
                        v2_1.close();
                    } catch (Throwable v1_5) {
                        com.google.android.gms.internal.stable.zzk.zza(v5, v1_5);
                    }
                }
            }
            throw v0_8;
        } catch (Throwable v0_7) {
            try {
                throw v0_7;
            } catch (Throwable v1_4) {
                v5 = v0_7;
                v0_8 = v1_4;
            }
        }
        while (v2_1.moveToNext()) {
            Throwable v1_3 = v2_1.getString(0);
            if (!v0_6.contains(v1_3)) {
                p8.execSQL(new StringBuilder(((String.valueOf(p9).length() + 8) + String.valueOf(v1_3).length())).append("DROP ").append(p9).append(" \'").append(v1_3).append("\'").toString());
            }
        }
        if (v2_1 != null) {
            v2_1.close();
        }
        return;
    }