From cb065d081231461a3cd49375868b8afdf944a54d Mon Sep 17 00:00:00 2001 From: Anthony Restaino Date: Fri, 22 Jul 2016 22:51:40 -0400 Subject: [PATCH] Properly escape query strings, fixed crash --- .../lightning/database/HistoryDatabase.java | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/app/src/main/java/acr/browser/lightning/database/HistoryDatabase.java b/app/src/main/java/acr/browser/lightning/database/HistoryDatabase.java index ecbcfd2..cfcc405 100644 --- a/app/src/main/java/acr/browser/lightning/database/HistoryDatabase.java +++ b/app/src/main/java/acr/browser/lightning/database/HistoryDatabase.java @@ -6,8 +6,10 @@ package acr.browser.lightning.database; import android.content.ContentValues; import android.content.Context; import android.database.Cursor; +import android.database.DatabaseUtils; import android.database.sqlite.SQLiteDatabase; import android.database.sqlite.SQLiteOpenHelper; +import android.database.sqlite.SQLiteQuery; import android.support.annotation.NonNull; import android.support.annotation.Nullable; @@ -62,8 +64,8 @@ public class HistoryDatabase extends SQLiteOpenHelper { @Override public void onCreate(@NonNull SQLiteDatabase db) { String CREATE_HISTORY_TABLE = "CREATE TABLE " + TABLE_HISTORY + '(' + KEY_ID - + " INTEGER PRIMARY KEY," + KEY_URL + " TEXT," + KEY_TITLE + " TEXT," - + KEY_TIME_VISITED + " INTEGER" + ')'; + + " INTEGER PRIMARY KEY," + KEY_URL + " TEXT," + KEY_TITLE + " TEXT," + + KEY_TIME_VISITED + " INTEGER" + ')'; db.execSQL(CREATE_HISTORY_TABLE); } @@ -111,7 +113,7 @@ public class HistoryDatabase extends SQLiteOpenHelper { values.put(KEY_TITLE, title == null ? "" : title); values.put(KEY_TIME_VISITED, System.currentTimeMillis()); Cursor q = mDatabase.query(false, TABLE_HISTORY, new String[]{KEY_URL}, - KEY_URL + " = ?", new String[]{url}, null, null, null, "1"); + KEY_URL + " = ?", new String[]{url}, null, null, null, "1"); if (q.getCount() > 0) { mDatabase.update(TABLE_HISTORY, values, KEY_URL + " = ?", new String[]{url}); } else { @@ -133,7 +135,7 @@ public class HistoryDatabase extends SQLiteOpenHelper { synchronized String getHistoryItem(@NonNull String url) { mDatabase = openIfNecessary(); Cursor cursor = mDatabase.query(TABLE_HISTORY, new String[]{KEY_ID, KEY_URL, KEY_TITLE}, - KEY_URL + " = ?", new String[]{url}, null, null, null, null); + KEY_URL + " = ?", new String[]{url}, null, null, null, null); String m = null; if (cursor != null) { cursor.moveToFirst(); @@ -151,9 +153,11 @@ public class HistoryDatabase extends SQLiteOpenHelper { if (search == null) { return itemList; } - String selectQuery = "SELECT * FROM " + TABLE_HISTORY + " WHERE " + KEY_TITLE + " LIKE '%" - + search + "%' OR " + KEY_URL + " LIKE '%" + search + "%' " + "ORDER BY " - + KEY_TIME_VISITED + " DESC LIMIT 5"; + search = DatabaseUtils.sqlEscapeString('%' + search + '%'); + + String selectQuery = "SELECT * FROM " + TABLE_HISTORY + " WHERE " + KEY_TITLE + " LIKE " + + search + " OR " + KEY_URL + " LIKE " + search + " ORDER BY " + + KEY_TIME_VISITED + " DESC LIMIT 5"; Cursor cursor = mDatabase.rawQuery(selectQuery, null); int n = 0; @@ -176,7 +180,7 @@ public class HistoryDatabase extends SQLiteOpenHelper { mDatabase = openIfNecessary(); List itemList = new ArrayList<>(100); String selectQuery = "SELECT * FROM " + TABLE_HISTORY + " ORDER BY " + KEY_TIME_VISITED - + " DESC"; + + " DESC"; Cursor cursor = mDatabase.rawQuery(selectQuery, null); int counter = 0; @@ -199,7 +203,7 @@ public class HistoryDatabase extends SQLiteOpenHelper { mDatabase = openIfNecessary(); List itemList = new ArrayList<>(); String selectQuery = "SELECT * FROM " + TABLE_HISTORY + " ORDER BY " + KEY_TIME_VISITED - + " DESC"; + + " DESC"; Cursor cursor = mDatabase.rawQuery(selectQuery, null);