1 /* 2 * Copyright 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.providers.telephony; 18 19 public class SqlQueryChecker { 20 private static final String SELECT_TOKEN = "select"; 21 checkToken(String token)22 static void checkToken(String token) { 23 if (SELECT_TOKEN.equals(token.toLowerCase())) { 24 throw new IllegalArgumentException("SELECT token not allowed in query"); 25 } 26 } 27 28 /** 29 * Check the query parameters to see if they contain subqueries. Throws an 30 * {@link IllegalArgumentException} if they do. See 31 * {@link android.content.ContentProvider#query} for the definitions of the arguments. 32 */ checkQueryParametersForSubqueries(String[] projection, String selection, String sortOrder)33 static void checkQueryParametersForSubqueries(String[] projection, 34 String selection, String sortOrder) { 35 if (projection != null) { 36 for (String proj : projection) { 37 SQLiteTokenizer.tokenize(proj, SQLiteTokenizer.OPTION_NONE, 38 SqlQueryChecker::checkToken); 39 } 40 } 41 SQLiteTokenizer.tokenize(selection, SQLiteTokenizer.OPTION_NONE, 42 SqlQueryChecker::checkToken); 43 SQLiteTokenizer.tokenize(sortOrder, SQLiteTokenizer.OPTION_NONE, 44 SqlQueryChecker::checkToken); 45 } 46 } 47