[guardian-dev] SQLCipher Android - Lazy coding leaks SQL statements in logs?

Shawn Van Every shawn at guardianproject.info
Mon Apr 21 16:59:49 EDT 2014


In the process of using SQLCipher for Android, I have noticed log messages such as the following:

04-18 17:25:35.533: W/Database(18228): Reached MAX size for compiled-sql statement cache for database /data/data/info.guardianproject.courier/databases/bigbuffalo.db; i.e., NO space for this sql statement in cache: select item_id, item_guid, item_feed_id from items where item_guid = 'http://www.cnn.com/video/data/2.0/video/us/2014/04/17/dnt-drone-discovers-village-in-new-mexico.krqe.html' and item_feed_id = ?;. Please change your sql statements to use '?' for bindargs, instead of using actual values

I am aware that this is the result of lazy programming and not using bindargs in my SQL statements but I believe that this type of warning log message gives away too much information, potentially leaking sensitive data and it should be modified.

(I believe, SQLite on Android exhibits the same behavior.)

Thoughts..?




More information about the Guardian-dev mailing list