SQL query should use "?" and selectionArgs

Bug #880322 reported by Koichi Akabe
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Tomdroid
Fix Released
High
Unassigned

Bug Description

At getListAdapter() function in src/org/tomdroid/NoteManager.java
We can find the following codes:

    where = where + "("+Note.TITLE+" LIKE '%"+string+"%' OR "+Note.NOTE_CONTENT+" LIKE '%"+string+"%')";

But this code can cause the bug in some cases of search queries. (like: %' )
The search query string is added to SQL code. If the search query contains brackets or other codes, it can be unexpected SQL.

Please see an attached patch for specific methods.

Related branches

Revision history for this message
Koichi Akabe (vbkaisetsu) wrote :
description: updated
Changed in tomdroid:
assignee: nobody → Koichi Akabe (vbkaisetsu)
Changed in tomdroid:
status: New → In Progress
description: updated
Changed in tomdroid:
importance: Undecided → High
Changed in tomdroid:
milestone: none → 0.5.1
Changed in tomdroid:
assignee: Koichi Akabe (vbkaisetsu) → nobody
Changed in tomdroid:
status: In Progress → Confirmed
status: Confirmed → Invalid
status: Invalid → In Progress
Revision history for this message
Koichi Akabe (vbkaisetsu) wrote :

It's already fixed on 0.7

Changed in tomdroid:
status: In Progress → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.