One of the most common vulnerabilities in both web applications and mobile applications are the injection-based vulnerabilities. SQLite also suffers from an injection vulnerability if the input given by the user is used as it is or with little but insufficient protection in a dynamic SQL query.
Let's have a look at the SQL query used to query the data in the application, as shown here:
String getSQL = "SELECT * FROM " + tableName + " WHERE " + username + " = '" + uname + "' AND " + password + " = '" + pword + "'"; Cursor cursor = dataBase.rawQuery(getSQL , null);
In the preceding SQL query, the
pword fields are being passed from the user input directly into the SQL query, which is then executed using the