Android Question Large listview crashes on Android 7

jpvniekerk

Active Member
Licensed User
Longtime User
I have an app that crashes on a customer's S8 phone (Android 7) opening a listview that contains a lot (> 1400) of items. A filtered list with < 100 items works fine.
I don't have a device with Android 7, but on Android 6 I don't get the problem at all, so I can't replicate the issue to debug myself.

My code for filling the listview is:
B4X:
If cur2.IsInitialized Then cur2.Close
If vFavPL = 0 Then
      sqlTxt = "SELECT ID, Name, Manf_ID FROM tblComp WHERE Type = 4 ORDER by Name COLLATE NOCASE"
    Else
      sqlTxt = "SELECT ID, Name, Manf_ID FROM tblComp WHERE Type = 4 AND Fav = 1 ORDER by Name COLLATE NOCASE"
    End If
cur2 = sql1.ExecQuery(sqlTxt)
For i = 0 To cur2.RowCount - 1
    cur2.Position = i
    lvPickList.AddSingleLine2(cur2.GetString("Name") &" ("&getManfAbbr(cur2.GetInt("Manf_ID"))&")",cur2.GetInt("ID"))
Next

If vFavPL = 0 (full list of ~1400 items) app crashes.
If vFavPL = 1 (~100 items) app does not crash.

Any ideas why this might happen?
 

jpvniekerk

Active Member
Licensed User
Longtime User
I'm going through my code (almost 20,000 lines!) to safeguard against SQL Injection.
As I understand it, whenever a variable is passed as part of a query, it should be done with parameterized statements (e.g ExecQuery2), otherwise the "standard" statements are OK. To make sure I understand it correctly, please see if the following is correct:
B4X:
sql1.ExecNonQuery("UPDATE tblRecipeItems SET Percent = "&v14VGAdd&", VG = "&v14VGAdd&" WHERE Comp_ID = 1") ' DANGEROUS
sql1.ExecNonQuery2("UPDATE tblRecipeItems SET Percent = ?, VG = ? WHERE Comp_ID = 1", Array as String(v14VGAdd,v14VGAdd)) ' SAFE
v14tmpPG = sql1.ExecQuerySingleResult("SELECT SUM(PG) FROM tblRecipeItems WHERE Comp_ID <> 2") ' SAFE
v14tmpPG = sql1.ExecQuerySingleResult("SELECT SUM(PG) FROM tblRecipeItems WHERE Comp_ID <> '"&vType&"')" ' DANGEROUS
v14tmpPG = sql1.ExecQuerySingleResult2("SELECT SUM(PG) FROM tblRecipeItems WHERE Comp_ID <> ?",Array as String(vType)) ' SAFE
I don't fully understand the whole issue of SQL Injection, but I'd rather be safe. As my dad used to say "You don't need to understand how an internal combustion engine works, to drive a car". So as long as I am on the right track here, I'm OK with it!
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
Upvote 0

netsistemas

Active Member
Licensed User
Longtime User
If VAR have this value:1' or 1='1
or other sentences similar to this: '; delete from tblRecipeItems where '1'='1
What would happen?

This is only a simple idea of sql inyection no real in this case (o yes).

Imagina que la variable vType tiene este valor: 1' or 1='1 (veansé las comillas).
La idea general es añadir un OR 1=1 y pensar en las comillas.
También podrias concatenar algo del estilo:
'; delete from tblRecipeItems where 1='1
Suponiendo que el malvado sepa el nombre de la tabla.... pero podria saberlo.
Es una simple idea de Sql Inyection no real in este caso (o quizás sí).


v14tmpPG = sql1.ExecQuerySingleResult("SELECT SUM(PG) FROM tblRecipeItems WHERE Comp_ID <> '"&vType&"')"
 
Upvote 0
Top