getodk · lognaturel · Jun 13, 2018 · Jun 8, 2018 · dcbriccetti · Jun 17, 2018
diff --git a/collect_app/src/main/java/org/odk/collect/android/provider/FormsProvider.java b/collect_app/src/main/java/org/odk/collect/android/provider/FormsProvider.java
@@ -94,14 +94,14 @@ public Cursor query(@NonNull Uri uri, String[] projection, String selection,
 
         SQLiteQueryBuilder qb = new SQLiteQueryBuilder();
         qb.setTables(FORMS_TABLE_NAME);
+        qb.setProjectionMap(sFormsProjectionMap);
+        qb.setStrict(true);
 
         switch (sUriMatcher.match(uri)) {
             case FORMS:
-                qb.setProjectionMap(sFormsProjectionMap);
                 break;
 
             case FORM_ID:
-                qb.setProjectionMap(sFormsProjectionMap);
                 qb.appendWhere(FormsColumns._ID + "="
                         + uri.getPathSegments().get(1));
                 break;
@@ -360,13 +360,21 @@ public int delete(@NonNull Uri uri, String where, String[] whereArgs) {
                         }
                     }
 
+                    String[] newWhereArgs;
+                    if (whereArgs == null || whereArgs.length == 0) {
+                        newWhereArgs = new String[] {formId};
+                    } else {
+                        newWhereArgs = new String[(whereArgs.length + 1)];
+                        newWhereArgs[0] = formId;
+                        System.arraycopy(whereArgs, 0, newWhereArgs, 1, whereArgs.length);
+                    }
+
                     count = db.delete(
                             FORMS_TABLE_NAME,
                             FormsColumns._ID
-                                    + "="
-                                    + formId
+                                    + "=?"
                                     + (!TextUtils.isEmpty(where) ? " AND (" + where
-                                    + ')' : ""), whereArgs);
+                                    + ')' : ""), newWhereArgs);
                     break;
 
                 default:
@@ -510,14 +518,22 @@ public int update(Uri uri, ContentValues values, String where,
                                 values.put(FormsColumns.DISPLAY_SUBTEXT, ts);
                             }
 
+                            String[] newWhereArgs;
+                            if (whereArgs == null || whereArgs.length == 0) {
+                                newWhereArgs = new String[] {formId};
+                            } else {
+                                newWhereArgs = new String[(whereArgs.length + 1)];
+                                newWhereArgs[0] = formId;
+                                System.arraycopy(whereArgs, 0, newWhereArgs, 1, whereArgs.length);
+                            }
+
                             count = db.update(
                                     FORMS_TABLE_NAME,
                                     values,
                                     FormsColumns._ID
-                                            + "="
-                                            + formId
+                                            + "=?"
                                             + (!TextUtils.isEmpty(where) ? " AND ("
-                                            + where + ')' : ""), whereArgs);
+                                            + where + ')' : ""), newWhereArgs);
                         } else {
                             Timber.e("Attempting to update row that does not exist");
                         }

diff --git a/collect_app/src/main/java/org/odk/collect/android/provider/InstanceProvider.java b/collect_app/src/main/java/org/odk/collect/android/provider/InstanceProvider.java
@@ -91,14 +91,14 @@ public Cursor query(@NonNull Uri uri, String[] projection, String selection, Str
 
         SQLiteQueryBuilder qb = new SQLiteQueryBuilder();
         qb.setTables(INSTANCES_TABLE_NAME);
+        qb.setProjectionMap(sInstancesProjectionMap);
+        qb.setStrict(true);
 
         switch (sUriMatcher.match(uri)) {
             case INSTANCES:
-                qb.setProjectionMap(sInstancesProjectionMap);
                 break;
 
             case INSTANCE_ID:
-                qb.setProjectionMap(sInstancesProjectionMap);
                 qb.appendWhere(InstanceColumns._ID + "=" + uri.getPathSegments().get(1));
                 break;
 
@@ -308,11 +308,21 @@ public int delete(@NonNull Uri uri, String where, String[] whereArgs) {
                         cv.put(InstanceColumns.DELETED_DATE, System.currentTimeMillis());
                         count = Collect.getInstance().getContentResolver().update(uri, cv, null, null);
                     } else {
+                        String[] newWhereArgs;
+                        if (whereArgs == null || whereArgs.length == 0) {
+                            newWhereArgs = new String[] {instanceId};
+                        } else {
+                            newWhereArgs = new String[(whereArgs.length + 1)];
+                            newWhereArgs[0] = instanceId;
+                            System.arraycopy(whereArgs, 0, newWhereArgs, 1, whereArgs.length);
+                        }
+
                         count =
                                 db.delete(INSTANCES_TABLE_NAME,
-                                        InstanceColumns._ID + "=" + instanceId
-                                                + (!TextUtils.isEmpty(where) ? " AND (" + where + ')' : ""),
-                                        whereArgs);
+                                        InstanceColumns._ID
+                                                + "=?"
+                                                + (!TextUtils.isEmpty(where) ? " AND ("
+                                                + where + ')' : ""), newWhereArgs);
                     }
                     break;
 
@@ -372,11 +382,22 @@ public int update(@NonNull Uri uri, ContentValues values, String where, String[]
                         }
                     }
 
+                    String[] newWhereArgs;
+                    if (whereArgs == null || whereArgs.length == 0) {
+                        newWhereArgs = new String[] {instanceId};
+                    } else {
+                        newWhereArgs = new String[(whereArgs.length + 1)];
+                        newWhereArgs[0] = instanceId;
+                        System.arraycopy(whereArgs, 0, newWhereArgs, 1, whereArgs.length);
+                    }
+
                     count =
-                            db.update(INSTANCES_TABLE_NAME, values,
-                                    InstanceColumns._ID + "=" + instanceId
-                                            + (!TextUtils.isEmpty(where) ? " AND (" + where + ')' : ""),
-                                    whereArgs);
+                            db.update(INSTANCES_TABLE_NAME,
+                                    values,
+                                    InstanceColumns._ID
+                                            + "=?"
+                                            + (!TextUtils.isEmpty(where) ? " AND ("
+                                            + where + ')' : ""), newWhereArgs);
                     break;
 
                 default: