1. Introduction
Android App local data storage uses SQLite database, SQLite is an ACID-compliant relational database management system, which is included in a relatively small C library. Unlike many other database management systems, SQLite is not a client/server database engine, but is integrated in user programs.
The reason for choosing SQLite in Android is that it has a low memory footprint, does not require a setup or configuration database, and can be called directly in the application.
2. Get the SQLite file
By default, the SQLite database is stored in the /data/data/[package name]/databases/ location in Android, and the file extension is .db. Note that Android devices need to be rooted.
1. Enter the /data/data directory of the device to find the corresponding test package.
2. Take the db file of the package com.xueqiu.android as an example, enter the databases directory of the package file and you can see the following db file.
3. Exit the adb shell and copy the required db file
3. View the SQLite file
After exporting the db file, you can use DB Browser for SQLite to view the data content.
Download address Downloads - DB Browser for SQLite can be installed according to your own system version.
1. Start the application, click the menu bar in turn: File -> Open Database, select to open the copied db file to view the database table structure and content
2. Click the Browse Data menu to view the specific data content of the table, or click Execute SQL to query
4. SQLite data security
SQL injection
If the data entered by the user is obtained through the application and inserted into the SQLite database, there may be a security problem of SQL injection attacks.
SQL injection is to insert SQL commands into the form submission or enter the query string of the domain name, and finally trick the server into executing malicious SQL commands.
For example, there is a form where the user can enter name
$name = $_GET['name'];
$dbh->query("SELECT * FROM users WHERE name='{$name}'");
So what happens when the user enters the name python';DELETE FROM user; '?
SELECT * FROM users WHERE name='python';DELETE FROM user;'';
Executing this statement will clear our user table.
5. Prevent SQL injection
To prevent SQL injection, you need to pay attention to the following points:
1. Don’t trust user input
2. To check the user's input, you can use regular expressions or limit the length; convert single quotes and double quotes, etc.
3. Do not use dynamic assembled SQL, you can use SQL prepared statements
4. Do not use the database connection with administrator privileges, use a separate database connection with limited privileges for each application.
5. Do not store confidential information directly, encrypt or hash passwords and sensitive information.
6. The exception information of the application should give as few hints as possible, and it is best to use a custom error message to package the original error message.