Security Report

[scr2em]

Describe the bug
I have been asked to perform a DAST to my capacitor application, and I got these risks using immuniweb.com

This 1 High risk is due to these statements in the code

Any chance you might be looking into this?

[scr2em]

After a 30 minutes investigation, In SQLite, table and column names cannot be parameterized only the values, so we are forced to use string construction but...

We can query the database first to find if there is a table with that name or not, this means the table name will be used as a value here which can be parameterized

SELECT tbl_name FROM sqlite_master WHERE TYPE = 'table' AND tbl_name = ?

The DAST would still fail, but there will be a very good justification

[robingenz]

Thank you. Feel free to create a PR.

[github-actions]

It looks like there hasn't been a reply in 30 days, so I'm closing this issue.