Some SQL injection in Android – how to use GROUP BY and CASE when you are not allowed to do so

I suppose you’re all familiar with the “academic” examples of SQL injection when you put a AND 1=1 at the end of the SQL query and magically you get access to all kind of nasty things. I’ll show you how to use the same trick to do a SQL injection in Android, but for a good thing πŸ™‚

I had the following situation: I’ve wanted to select group all the calls from the call log either by the caller name if the number was in the agenda or by number if the number was not in the agenda. To do this you need a content resolver, a URI and a projection to tell Android which columns you want to select. A typical call will look as follows:

new String[] { projection}, selection, new String[] 
{selectionArgs}, sortOrder)

As you notice there is no way of telling android how to group the rows. But we can trick it:

getContentResolver().query(CallLog.Calls.CONTENT_URI, new String[] 
{"_id", "name", "number",
 "duration","type", "numbertype", MAX(date) AS date",
"(CASE WHEN name=null THEN name ELSE number END) as logname"}, 
" 1=1 ) GROUP BY (logname",null,null);

You can notice the 1=1 ) GROUP by (logname String placed as the selection argument. This is why the magic happens. πŸ˜‰ Also notice the syntax for the CASE statement that conditionally selects the number or the name. You can further use it in any place you need conditional select of the columns.

Happy Android programming!


9 Replies to “Some SQL injection in Android – how to use GROUP BY and CASE when you are not allowed to do so”

  1. I wonder whether Android programmers nowadays really care about security when it comes to their code, especially SQL injection. Google should have an automated tool that will test apps for SQL injection or something….

  2. Pingback: Homepage
  3. i have just fired this query :
    Uri uriSms = Uri.parse(“content://sms”);
    Cursor cursor = getContentResolver().query(uriSms, new String[] {“address”,”max(date)”}, ” 1=1 ) GROUP BY ( address”, null, null);
    android.util.Log.i(“COLUMNS”, Arrays.toString(cursor.getColumnNames()));
    String [] columns= cursor.getColumnNames();
    on my s3 (ics) and it works great

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s