Java: SQLInjection example for addJavaScriptInterface query

java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java

@@ -1,11 +1,23 @@
-class ExposedObject {
+import android.webkit.JavascriptInterface;
+import android.database.sqlite.SQLiteOpenHelper;
+
+class ExposedObject extends SQLiteOpenHelper {
     @JavascriptInterface
-    public String example() {
+    public String studentEmail(String studentName) {
-        return "String from Java";
+        // SQL injection
+        String query = "SELECT email FROM students WHERE studentname = '" + studentName + "'";
+
+        Cursor cursor = db.rawQuery(query, null);
+        cursor.moveToFirst();
+        String email = cursor.getString(0);
+
+        return email;
     }
 }
 
 webview.getSettings().setJavaScriptEnabled(true);
 webview.addJavaScriptInterface(new ExposedObject(), "exposedObject");
 webview.loadData("", "text/html", null);
-webview.loadUrl("javascript:alert(exposedObject.example())");
+
+String name = "Robert'; DROP TABLE students; --";
+webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");