Fix SQL injection vulnerability and crashes when an apostrophe is present in a computer name

2025-07-19 19:13:03 +00:00 · 2016-01-06 15:17:30 -06:00 · 2016-01-06 15:17:30 -06:00 · 7594e51a18
commit 7594e51a18
parent bf22819b53
1 changed files with 2 additions and 2 deletions
--- a/app/src/main/java/com/limelight/computers/ComputerDatabaseManager.java
+++ b/app/src/main/java/com/limelight/computers/ComputerDatabaseManager.java
@ -53,7 +53,7 @@ public class ComputerDatabaseManager {
    }

    public void deleteComputer(String name) {
-        computerDb.delete(COMPUTER_TABLE_NAME, COMPUTER_NAME_COLUMN_NAME+"='"+name+"'", null);
+        computerDb.delete(COMPUTER_TABLE_NAME, COMPUTER_NAME_COLUMN_NAME+"=?", new String[]{name});
    }

    public boolean updateComputer(ComputerDetails details) {
@ -118,7 +118,7 @@ public class ComputerDatabaseManager {
    }

    public ComputerDetails getComputerByName(String name) {
-        Cursor c = computerDb.rawQuery("SELECT * FROM "+COMPUTER_TABLE_NAME+" WHERE "+COMPUTER_NAME_COLUMN_NAME+"='"+name+"'", null);
+        Cursor c = computerDb.query(COMPUTER_TABLE_NAME, null, COMPUTER_NAME_COLUMN_NAME+"=?", new String[]{name}, null, null, null);
        ComputerDetails details = new ComputerDetails();
        if (!c.moveToFirst()) {
            // No matching computer