Info Call to SQLite query API

Description

Improper SQL query construction could lead to SQL injection. An SQL injection attack consists of injecting of an SQL query via the input data from the client to the application

Recommendation

This entry is informative, no recommendations applicable.

Technical details

Method com.here.sdk.analytics.internal.h.executeStatementForResult() calling method android.database.sqlite.SQLiteDatabase.rawQuery()


    public com.here.sdk.analytics.internal.SQLiteDatabaseStatementResult executeStatementForResult(String p13)
    {
        int v0_0;
        com.here.sdk.analytics.internal.g.a(com.here.sdk.analytics.internal.h.a, new StringBuilder().append("executeStatementForResult: sql: ").append(p13).toString());
        if (this.e != null) {
            this.e.beginTransaction();
            try {
                android.database.Cursor v5 = this.e.rawQuery(p13, 0);
                this.e.setTransactionSuccessful();
                this.e.endTransaction();
                try {
                    int v6 = v5.getColumnCount();
                    java.util.ArrayList v7_1 = new java.util.ArrayList(v6);
                    int[] v8 = new int[v6];
                    int v0_10 = 0;
                } catch (int v0_18) {
                    v5.close();
                    throw v0_18;
                }
                while (v0_10 < v6) {
                    java.util.ArrayList v1_14 = v5.getColumnName(v0_10);
                    v7_1.add(v1_14);
                    v8[v0_10] = v5.getColumnIndex(v1_14);
                    v0_10++;
                }
                java.util.ArrayList v9_1 = new java.util.ArrayList();
                while (v5.moveToNext()) {
                    java.util.ArrayList v10_1 = new java.util.ArrayList(v6);
                    int v4_1 = 0;
                    while (v4_1 < v6) {
                        java.util.ArrayList v1_12;
                        int v0_16 = v5.getString(v8[v4_1]);
                        if (v0_16 == 0) {
                            v1_12 = 0;
                        } else {
                            v1_12 = 1;
                        }
                        if (v0_16 == 0) {
                            v0_16 = "";
                        }
                        v10_1.add(new com.here.sdk.analytics.internal.OptionalString(v1_12, v0_16));
                        v4_1++;
                    }
                    v9_1.add(new com.here.sdk.analytics.internal.RowWithColumns(v10_1));
                }
                v0_0 = new com.here.sdk.analytics.internal.SQLiteDatabaseStatementResult(0, v7_1, v9_1);
                v5.close();
            } catch (int v0_9) {
                this.e.endTransaction();
                throw v0_9;
            } catch (int v0_7) {
                com.here.sdk.analytics.internal.g.a(com.here.sdk.analytics.internal.h.a, new StringBuilder().append("Error executing statement: ").append(p13).toString(), v0_7);
                v0_0 = new com.here.sdk.analytics.internal.SQLiteDatabaseStatementResult(1, new java.util.ArrayList(), new java.util.ArrayList());
                this.e.endTransaction();
            }
        } else {
            com.here.sdk.analytics.internal.g.c(com.here.sdk.analytics.internal.h.a, "executeStatementForResult: Failed to execute because database is not open");
            v0_0 = new com.here.sdk.analytics.internal.SQLiteDatabaseStatementResult(1, new java.util.ArrayList(), new java.util.ArrayList());
        }
        return v0_0;
    }

Method com.here.sdk.analytics.internal.h.executeStatement() calling method android.database.sqlite.SQLiteDatabase.execSQL()


    public boolean executeStatement(String p7)
    {
        int v0_0 = 0;
        com.here.sdk.analytics.internal.g.a(com.here.sdk.analytics.internal.h.a, new StringBuilder().append("executeStatement: sql: ").append(p7).toString());
        if (this.e != null) {
            this.e.beginTransaction();
            try {
                String v2_1 = this.a(p7);
                String v3_0 = v2_1.length;
                android.database.sqlite.SQLiteDatabase v1_3 = 0;
            } catch (int v0_1) {
                this.e.endTransaction();
                throw v0_1;
            } catch (android.database.sqlite.SQLiteDatabase v1_6) {
                com.here.sdk.analytics.internal.g.a(com.here.sdk.analytics.internal.h.a, new StringBuilder().append("Error executing statement: ").append(p7).toString(), v1_6);
                this.e.endTransaction();
            }
            while (v1_3 < v3_0) {
                this.e.execSQL(v2_1[v1_3]);
                v1_3++;
            }
            this.e.setTransactionSuccessful();
            v0_0 = 1;
            this.e.endTransaction();
        } else {
            com.here.sdk.analytics.internal.g.c(com.here.sdk.analytics.internal.h.a, "executeStatement: Failed to execute because database is not open");
        }
        return v0_0;
    }