diff options
author | Martin Fietz <Martin.Fietz@gmail.com> | 2016-01-05 14:20:43 +0100 |
---|---|---|
committer | Martin Fietz <Martin.Fietz@gmail.com> | 2016-01-05 14:20:43 +0100 |
commit | b676967a5fe70c746c1478de3bf8186de8ff89a4 (patch) | |
tree | 454a79617f0c3039618116cded940214c3f84d35 /core | |
parent | 3d948c45390db22308628e462c148b70e09744ec (diff) | |
parent | 557b028c28b70c042ee582f25920b5af1b7a0f7d (diff) | |
download | AntennaPod-b676967a5fe70c746c1478de3bf8186de8ff89a4.zip |
Merge pull request #1512 from mfietz/issue/1510-escape-sql
Escape SQL query parameters
Diffstat (limited to 'core')
-rw-r--r-- | core/src/main/java/de/danoeh/antennapod/core/storage/PodDBAdapter.java | 36 |
1 files changed, 21 insertions, 15 deletions
diff --git a/core/src/main/java/de/danoeh/antennapod/core/storage/PodDBAdapter.java b/core/src/main/java/de/danoeh/antennapod/core/storage/PodDBAdapter.java index 87485a237..daff951df 100644 --- a/core/src/main/java/de/danoeh/antennapod/core/storage/PodDBAdapter.java +++ b/core/src/main/java/de/danoeh/antennapod/core/storage/PodDBAdapter.java @@ -1258,25 +1258,31 @@ public class PodDBAdapter { } public final Cursor getFeedItemCursor(final String podcastUrl, final String episodeUrl) { - final String query = "SELECT " + SEL_FI_SMALL_STR + " FROM " + TABLE_NAME_FEED_ITEMS - + " INNER JOIN " + - TABLE_NAME_FEEDS + " ON " + TABLE_NAME_FEED_ITEMS + "." + KEY_FEED + "=" + - TABLE_NAME_FEEDS + "." + KEY_ID + " WHERE " + TABLE_NAME_FEED_ITEMS + "." + KEY_ITEM_IDENTIFIER + "='" + - episodeUrl + "' AND " + TABLE_NAME_FEEDS + "." + KEY_DOWNLOAD_URL + "='" + podcastUrl + "'"; + String downloadUrl = DatabaseUtils.sqlEscapeString(podcastUrl); + String itemIdentifier = DatabaseUtils.sqlEscapeString(episodeUrl); + final String query = "" + + "SELECT " + SEL_FI_SMALL_STR + " FROM " + TABLE_NAME_FEED_ITEMS + + " INNER JOIN " + TABLE_NAME_FEEDS + + " ON " + TABLE_NAME_FEED_ITEMS + "." + KEY_FEED + "=" + TABLE_NAME_FEEDS + "." + KEY_ID + + " WHERE " + TABLE_NAME_FEED_ITEMS + "." + KEY_ITEM_IDENTIFIER + "='" + itemIdentifier + "'" + + " AND " + TABLE_NAME_FEEDS + "." + KEY_DOWNLOAD_URL + "='" + downloadUrl + "'"; return db.rawQuery(query, null); } public Cursor getImageAuthenticationCursor(final String imageUrl) { - final String query = "SELECT " + KEY_USERNAME + "," + KEY_PASSWORD + " FROM " - + TABLE_NAME_FEED_IMAGES + " INNER JOIN " + TABLE_NAME_FEEDS + " ON " + - TABLE_NAME_FEED_IMAGES + "." + KEY_ID + "=" + TABLE_NAME_FEEDS + "." + KEY_IMAGE + " WHERE " - + TABLE_NAME_FEED_IMAGES + "." + KEY_DOWNLOAD_URL + "='" + imageUrl + "' UNION SELECT " - + KEY_USERNAME + "," + KEY_PASSWORD + " FROM " + TABLE_NAME_FEED_IMAGES + " INNER JOIN " - + TABLE_NAME_FEED_ITEMS + " ON " + TABLE_NAME_FEED_IMAGES + "." + KEY_ID + "=" + - TABLE_NAME_FEED_ITEMS + "." + KEY_IMAGE + " INNER JOIN " + TABLE_NAME_FEEDS + " ON " - + TABLE_NAME_FEED_ITEMS + "." + KEY_FEED + "=" + TABLE_NAME_FEEDS + "." + KEY_ID + " WHERE " - + TABLE_NAME_FEED_IMAGES + "." + KEY_DOWNLOAD_URL + "='" + imageUrl + "'"; - Log.d(TAG, "Query: " + query); + String downloadUrl = DatabaseUtils.sqlEscapeString(imageUrl); + final String query = "" + + "SELECT " + KEY_USERNAME + "," + KEY_PASSWORD + " FROM " + TABLE_NAME_FEED_IMAGES + + " INNER JOIN " + TABLE_NAME_FEEDS + + " ON " + TABLE_NAME_FEED_IMAGES + "." + KEY_ID + "=" + TABLE_NAME_FEEDS + "." + KEY_IMAGE + + " WHERE " + TABLE_NAME_FEED_IMAGES + "." + KEY_DOWNLOAD_URL + "='" + downloadUrl + "'" + + " UNION SELECT " + KEY_USERNAME + "," + KEY_PASSWORD + + " FROM " + TABLE_NAME_FEED_IMAGES + + " INNER JOIN " + TABLE_NAME_FEED_ITEMS + + " ON " + TABLE_NAME_FEED_IMAGES + "." + KEY_ID + "=" + TABLE_NAME_FEED_ITEMS + "." + KEY_IMAGE + + " INNER JOIN " + TABLE_NAME_FEEDS + + " ON " + TABLE_NAME_FEED_ITEMS + "." + KEY_FEED + "=" + TABLE_NAME_FEEDS + "." + KEY_ID + + " WHERE " + TABLE_NAME_FEED_IMAGES + "." + KEY_DOWNLOAD_URL + "='" + downloadUrl + "'"; return db.rawQuery(query, null); } |