Prevent us from sql injecting ourselves on backup/restore

Fixes #7478
This commit is contained in:
Moxie Marlinspike 2018-03-08 16:39:57 -08:00
parent 9fb67b9f03
commit a2d04f4806

View File

@ -143,7 +143,7 @@ public class FullBackupExporter extends FullBackupBase {
for (int i=0;i<cursor.getColumnCount();i++) { for (int i=0;i<cursor.getColumnCount();i++) {
if (cursor.getType(i) == Cursor.FIELD_TYPE_STRING) { if (cursor.getType(i) == Cursor.FIELD_TYPE_STRING) {
statement.append('\''); statement.append('\'');
statement.append(cursor.getString(i)); statement.append(cursor.getString(i).replace("'", "\\'"));
statement.append('\''); statement.append('\'');
} else if (cursor.getType(i) == Cursor.FIELD_TYPE_FLOAT) { } else if (cursor.getType(i) == Cursor.FIELD_TYPE_FLOAT) {
statement.append(cursor.getFloat(i)); statement.append(cursor.getFloat(i));