Host nickname input not sanitized

[GoogleCodeExporter]

Error reported from Google Play:

v6.10.17.beta3
Jun 4, 2012 8:23:42 AM
1 reports 

android.database.sqlite.SQLiteException: unrecognized token: "'Oliv''": , while 
compiling: SELECT DISTINCT _id, nickname FROM hosts WHERE _id!=-1 AND 
nickname='Oliv''
at android.database.sqlite.SQLiteCompiledSql.native_compile(Native Method)
at android.database.sqlite.SQLiteCompiledSql.compile(SQLiteCompiledSql.java:92)
at android.database.sqlite.SQLiteCompiledSql.<init>(SQLiteCompiledSql.java:65)
at android.database.sqlite.SQLiteProgram.<init>(SQLiteProgram.java:83)
at android.database.sqlite.SQLiteQuery.<init>(SQLiteQuery.java:49)
at 
android.database.sqlite.SQLiteDirectCursorDriver.query(SQLiteDirectCursorDriver.
java:42)
at 
android.database.sqlite.SQLiteDatabase.rawQueryWithFactory(SQLiteDatabase.java:1
356)
at 
android.database.sqlite.SQLiteDatabase.queryWithFactory(SQLiteDatabase.java:1235
)
at android.database.sqlite.SQLiteDatabase.query(SQLiteDatabase.java:1189)
at 
sk.boinc.androboinc.util.HostListDbAdapter.hostUnique(HostListDbAdapter.java:196
)
at 
sk.boinc.androboinc.EditHostActivity.setConfirmButtonState(EditHostActivity.java
:156)
at sk.boinc.androboinc.EditHostActivity.access$0(EditHostActivity.java:148)
at 
sk.boinc.androboinc.EditHostActivity$1.afterTextChanged(EditHostActivity.java:80
)
at android.widget.TextView.sendAfterTextChanged(TextView.java:6335)
at android.widget.TextView$ChangeWatcher.afterTextChanged(TextView.java:6523)
at 
android.text.SpannableStringBuilder.sendTextHasChanged(SpannableStringBuilder.ja
va:897)
at android.text.SpannableStringBuilder.change(SpannableStringBuilder.java:353)
at android.text.SpannableStringBuilder.change(SpannableStringBuilder.java:269)
at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:432)
at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:409)
at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:28)
at 
android.view.inputmethod.BaseInputConnection.replaceText(BaseInputConnection.jav
a:654)
at 
android.view.inputmethod.BaseInputConnection.commitText(BaseInputConnection.java
:180)
at 
com.android.internal.widget.EditableInputConnection.commitText(EditableInputConn
ection.java:129)
at 
com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectio
nWrapper.java:273)
at 
com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInput
ConnectionWrapper.java:75)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:130)
at android.app.ActivityThread.main(ActivityThread.java:3835)
at java.lang.reflect.Method.invokeNative(Native Method)
at java.lang.reflect.Method.invoke(Method.java:507)
at 
com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:847)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:605)
at dalvik.system.NativeStart.main(Native Method)

Apparently it is caused by single quote character (') in host nickname

What steps will reproduce the problem?
1. Add new host
2. In the nickname use the sigle-quote character, e.g. test'1
3. As soon as the next field is selected, activity crashes

Possible solutions:
a) Ignore single-quote in input of nickname (never use it)
b) Try to use escape code &#39; or possibly &#8217; when single-quote is 
entered by user

Original issue reported on code.google.com by pavol.michalec@gmail.com on 26 Aug 2012 at 10:30

[GoogleCodeExporter]

This issue was closed by revision r56.

Original comment by pavol.michalec@gmail.com on 29 Aug 2012 at 2:01

• Changed state: Fixed

[GoogleCodeExporter]

Implementation details:
Character apostrophe (U+0027) is replaced by right single quotation (U+2019) by 
input filter
Typographically it is nearly the same character, so user experience is not 
disturbed.

Original comment by pavol.michalec@gmail.com on 5 Sep 2012 at 2:07

[GoogleCodeExporter]

Verified on published v6.10.58.rc2

Original comment by pavol.michalec@gmail.com on 9 Sep 2012 at 4:10

• Changed state: Verified