I made an Android application using Ionic V3 and I tested it with MobSF. i have a problem with sqlinjection and severity is high and the issues :
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.
I already used sqlchiper, crypto and other
does anyone know the solution?
Before you start deploying encryption, please take the time to solicit advice from experts on the topic. Security is very very hard, and chains are only as strong as their weakest link. Generally speaking, I don’t think encrypting things that are stored on-device makes much sense in Ionic applications. As far as SQL injection goes - and this is not Ionic-specific by any means - the only place that what the warning is calling “untrusted user input” (things like stuff entered in HTML form fields) should ever be used is in binding values for placeholders. See the “parameters” section of the docs for more syntax details.
Never ever cobble together SQL statements using string concatenation:
let query = "SELECT * FROM students WHERE name = '" + studentName + "'"