Some SQL injection in Android – how to use GROUP BY and CASE when you are not allowed to do so

I suppose you’re all familiar with the “academic” examples of SQL injection when you put a AND 1=1 at the end of the SQL query and magically you get access to all kind of nasty things. I’ll show you how to use the same trick to do a SQL injection in Android, but for a good thing :)

I had the following situation: I’ve wanted to select group all the calls from the call log either by the caller name if the number was in the agenda or by number if the number was not in the agenda. To do this you need a content resolver, a URI and a projection to tell Android which columns you want to select. A typical call will look as follows:

getContentResolver().query(CallLog.Calls.CONTENT_URI, 
new String[] { projection}, selection, new String[] 
{selectionArgs}, sortOrder)

As you notice there is no way of telling android how to group the rows. But we Continue reading