cordova-sqlcipher-adapter v0.6.0

Cordova/PhoneGap SQLCipher adapter plugin - maintenance only

Native interface to SQLCipher version 4 in a Cordova/PhoneGap plugin with API based on HTML5/Web SQL (DRAFT) API for the following platforms:

• Android
• iOS
• macOS ("osx" platform)
• Windows 10 (UWP) DESKTOP (...) (disabled; see below for major limitations)

Plugin version 0.2.x (with known security issues) is required for SQLCipher 3 support. For future consideration: support migration between SQLCipher 3 and SQLCipher 4 (brodybits/cordova-sqlcipher-adapter#83). Note that this project is currently not under active development, see brodybits/cordova-sqlcipher-adapter#81.

LICENSE: MIT, with Apache 2.0 option for Android and disabled Windows platforms (see LICENSE.md for details, including third-party components used by this plugin)

NOTICE: Extra-old armeabi CPU for Android pre-5.0 is no longer supported by this plugin version.

IMPORTANT WARNING NOTICES

• Without the database password there is no proven way to recover the data.
• Multiple SQLite corruption problem - see section below & xpbrew/cordova-sqlite-storage#626
• IMPORTANT EXPORT REQUIREMENTS described at: https://discuss.zetetic.net/t/export-requirements-for-applications-using-sqlcipher/47
• Breaking changes coming soon - see section nearby & see xpbrew/cordova-sqlite-storage#922

Comparison of supported plugin versions

COMING SOON

New SQLite plugin design with a simpler API is in progress with a working demo - see brodybits/ask-me-anything#3

Breaking changes coming soon

in an upcoming major release - see xpbrew/cordova-sqlite-storage#922

some highlights:

• drop support for Android pre-5.1, which will also be dropped by cordova-android, including deprecated armeabi target no longer supported by this plugin (superseded by armeabi-v7a, seems to be not supported by Android 5.0) - more info in xpbrew/cordova-sqlite-storage#922
• error code will always be 0 (which is already the case on Windows); actual SQLite3 error code will be part of the error message member whenever possible (see xpbrew/cordova-sqlite-storage#821)
• drop support for location: 0-2 values in openDatabase call (please use location: 'default' or iosDatabaseLocation setting in openDatabase as documented below)
• throw an exception in case of androidDatabaseImplementation: 2 setting which is now superseded by androidDatabaseProvider: 'system' setting

under consideration:

• remove androidLockWorkaround: 1 option if not needed any longer - xpbrew/cordova-sqlite-storage#925

About this plugin version

TBD

GENERAL STATUS:

This project is under maintenance for security, data loss risk, and other critical issues at this point (brodybits/cordova-sqlcipher-adapter#81). Active development may be resumed someday in the future, in case of sufficient interest from the user community. For priority feature requirements please contact sales@litehelpers.net for estimation and discussion.

Multiple database problem on Android

This plugin uses SQLCipher for Android which is a non-standard SQLite implementation on Android (a fork of sqlcipher/android-database-sqlcipher). In case an application access the same database using multiple plugins there is a risk of data corruption (see xpbrew/cordova-sqlite-storage#626), as described in http://ericsink.com/entries/multiple_sqlite_problem.html and https://www.sqlite.org/howtocorrupt.html.)

Multiple database access problem on other platforms

This plugin version also uses SQLCipher which is based on a particular version of sqlite3 on iOS, macOS, and Windows. In case the application accesses the SAME database using multiple plugins there is a risk of data corruption as described in https://www.sqlite.org/howtocorrupt.html (similar to the multiple sqlite problem for Android as described in http://ericsink.com/entries/multiple_sqlite_problem.html).

Additional notice

Windows platform support is now disabled in this plugin version, with CRYPTO provider (libTomCrypt) completely removed. This plugin version is no longer tested on Windows. For future consideration: enable Windows build again with encryption using a recent build of the OpenSSL crypto library

A quick tour

To open a database:

var db = null;

document.addEventListener('deviceready', function() {
  db = window.sqlitePlugin.openDatabase({
    name: 'my-encrypted.db',
    key: 'user-password-here',
    location: 'default'
  });
});

IMPORTANT: Like with the other Cordova plugins your application must wait for the deviceready event. This is especially tricky in Angular/ngCordova/Ionic controller/factory/service callbacks which may be triggered before the deviceready event is fired.

Using DRAFT standard transaction API

To populate a database using the DRAFT standard transaction API:

  db.transaction(function(tx) {
    tx.executeSql('CREATE TABLE IF NOT EXISTS DemoTable (name, score)');
    tx.executeSql('INSERT INTO DemoTable VALUES (?,?)', ['Alice', 101]);
    tx.executeSql('INSERT INTO DemoTable VALUES (?,?)', ['Betty', 202]);
  }, function(error) {
    console.log('Transaction ERROR: ' + error.message);
  }, function() {
    console.log('Populated database OK');
  });

or using numbered parameters as documented in https://www.sqlite.org/c3ref/bind_blob.html:

  db.transaction(function(tx) {
    tx.executeSql('CREATE TABLE IF NOT EXISTS DemoTable (name, score)');
    tx.executeSql('INSERT INTO DemoTable VALUES (?1,?2)', ['Alice', 101]);
    tx.executeSql('INSERT INTO DemoTable VALUES (?1,?2)', ['Betty', 202]);
  }, function(error) {
    console.log('Transaction ERROR: ' + error.message);
  }, function() {
    console.log('Populated database OK');
  });

To check the data using the DRAFT standard transaction API:

  db.transaction(function(tx) {
    tx.executeSql('SELECT count(*) AS mycount FROM DemoTable', [], function(tx, rs) {
      console.log('Record count (expected to be 2): ' + rs.rows.item(0).mycount);
    }, function(tx, error) {
      console.log('SELECT error: ' + error.message);
    });
  });

Using plugin-specific API calls

To populate a database using the SQL batch API:

  db.sqlBatch([
    'CREATE TABLE IF NOT EXISTS DemoTable (name, score)',
    [ 'INSERT INTO DemoTable VALUES (?,?)', ['Alice', 101] ],
    [ 'INSERT INTO DemoTable VALUES (?,?)', ['Betty', 202] ],
  ], function() {
    console.log('Populated database OK');
  }, function(error) {
    console.log('SQL batch ERROR: ' + error.message);
  });

or using numbered parameters as documented in https://www.sqlite.org/c3ref/bind_blob.html:

  db.sqlBatch([
    'CREATE TABLE IF NOT EXISTS DemoTable (name, score)',
    [ 'INSERT INTO DemoTable VALUES (?1,?2)', ['Alice', 101] ],
    [ 'INSERT INTO DemoTable VALUES (?1,?2)', ['Betty', 202] ],
  ], function() {
    console.log('Populated database OK');
  }, function(error) {
    console.log('SQL batch ERROR: ' + error.message);
  });

To check the data using the single SQL statement API:

  db.executeSql('SELECT count(*) AS mycount FROM DemoTable', [], function(rs) {
    console.log('Record count (expected to be 2): ' + rs.rows.item(0).mycount);
  }, function(error) {
    console.log('SELECT SQL statement ERROR: ' + error.message);
  });

More detailed sample

See the Sample section for a sample with a more detailed explanation (using the DRAFT standard transaction API).

Status

• Windows platform support is now disabled in this plugin version, with CRYPTO provider (libTomCrypt) completely removed (ref: litehelpers / Cordova-sqlcipher-adapter#63). For future consideration: enable Windows build again with encryption using a recent build of the OpenSSL crypto library ref: litehelpers/Cordova-sqlcipher-adapter#30
• SQLCipher version information:
  • SQLCipher 4.5.3 community for Android with OpenSSL 1.1.1s - in custom build from https://github.com/brodybits/android-database-sqlcipher/tree/v4.5.x-defensive-jar-build (v4.5.x-defensive-jar-build branch)
  • SQLCipher 4.5.3 community for iOS/macOS
  • with OpenSSL libcrypto for Android
  • using CommonCrypto framework for iOS/macOS
  • NO ENCRYPTION ENABLED (completely removed) for Windows
  • for future consideration: embed OpenSSL libcrypto for all target platforms
• This plugin is not supported by PhoneGap Developer App or PhoneGap Desktop App.
• A recent version of the Cordova CLI is recommended. Known issues with older versions of Cordova:
  • Cordova pre-7.0.0 do not automatically save the state of added plugins and platforms (--save flag is needed for Cordova pre-7.0.0)
  • It may be needed to use cordova prepare in case of cordova-ios pre-4.3.0 (Cordova CLI 6.4.0).
  • Cordova versions older than 6.0.0 are missing the cordova-ios@4.0.0 security fixes.
• This plugin version has SQLCipher included for all platforms and should be usable from PhoneGap Build.
• SQLCipher build settings used:
  • SQLITE_HAS_CODEC (no longer enabled in Windows SQLite3 library build)
  • SQLITE_SOUNDEX (Android only)
  • SQLITE_MAX_VARIABLE_NUMBER=99999 (Android only)
  • SQLITE_DEFAULT_JOURNAL_SIZE_LIMIT=1048576 (Android only)
  • HAVE_USLEEP=1
  • SQLITE_TEMP_STORE=3
  • SQLCIPHER_CRYPTO_CC (iOS/macOS only)
  • SQLITE_LOCKING_STYLE=1 (iOS/macOS only)
  • DSQLITE_DEFAULT_JOURNAL_SIZE_LIMIT=1048576 (Android only)
  • NDEBUG (NDEBUG=1 on Android)
  • SQLITE_THREADSAFE=1
  • SQLITE_DEFAULT_SYNCHRONOUS=3 (EXTRA DURABLE build setting) on all platforms (Android/iOS/macOS/Windows) ref: xpbrew/cordova-sqlite-storage#736
  • SQLITE_ENABLE_MEMORY_MANAGEMENT=1 (Android only)
  • SQLITE_DEFAULT_MEMSTATUS=0
  • SQLITE_OMIT_DECLTYPE (iOS/macOS/Windows)
  • SQLITE_OMIT_DEPRECATED - iOS/macOS (FUTURE TBD: Android ref: brodybits/cordova-sqlcipher-adapter#82)
  • SQLITE_OMIT_PROGRESS_CALLBACK (iOS/macOS/Windows)
  • SQLITE_OMIT_SHARED_CACHE - iOS/macOS/Windows
  • SQLITE_ENABLE_DBSTAT_VTAB - Android only
  • SQLITE_ENABLE_LOAD_EXTENSION (Android only)
  • SQLITE_OMIT_LOAD_EXTENSION (iOS/macOS/Windows)
  • SQLITE_ENABLE_COLUMN_METADATA (Android only)
  • SQLITE_ENABLE_UNLOCK_NOTIFY (Android only)
  • SQLITE_ENABLE_FTS3 (iOS/macOS/Windows)
  • SQLITE_ENABLE_FTS3_PARENTHESIS
  • SQLITE_ENABLE_FTS4
  • SQLITE_ENABLE_RTREE
  • SQLITE_ENABLE_STAT3 for Android only
  • SQLITE_ENABLE_STAT4 for Android only
  • SQLITE_ENABLE_FTS5
  • SQLITE_ENABLE_JSON1
  • SQLITE_ENABLE_MATH_FUNCTIONS - Android/macOS/iOS
  • SQLITE_OS_WINRT (Windows only)
  • SQLCIPHER_CRYPTO_OPENSSL (Android only)
• SQLITE_DBCONFIG_DEFENSIVE flag is used for extra SQL safety on all platforms (Android/iOS/macOS/Windows) ref:
  • https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
  • https://www.sqlite.org/releaselog/3_26_0.html
• The iOS database location is now mandatory, as documented below.
• The following features are available in brodybits/cordova-sqlite-ext without SQLCipher:
  • REGEXP (Android/iOS/macOS)
  • SELECT BLOB data in Base64 format (all platforms Android/iOS/macOS/Windows)
  • Pre-populated database (Android/iOS/macOS/Windows)
• Windows platform version (using a customized version of the performant doo / SQLite3-WinRT C++ component based on the brodybits/SQLite3-WinRT sync-api-fix branch) is now disabled in this plugin version, with CRYPTO provider completely removed ref: brodybits/cordova-sqlcipher-adapter#63, and has the following known limitations:
  • Encryption no longer enabled in Windows SQLite3 library build. For future consideration: enable Windows build again with encryption using a recent build of the OpenSSL crypto library ref: brodybits/cordova-sqlcipher-adapter#63
  • No background processing is supported (see below)
  • This plugin version branch has dependency on platform toolset libraries included by Visual Studio 2017 ref: xpbrew/cordova-sqlite-storage#580. Visual Studio 2015 is now supported by brodybits/cordova-sqlite-legacy (permissive license terms, no performance enhancements for Android) and brodybits/cordova-sqlite-evcore-legacy-ext-common-free (GPL or commercial license terms, with performance enhancements for Android). UNTESTED workaround for Visual Studio 2015: it may be possible to support this plugin version on Visual Studio 2015 Update 3 by installing platform toolset v141.)
  • Visual Studio components needed: Universal Windows Platform development, C++ Universal Windows Platform tools. A recent version of Visual Studio 2017 will offer to install any missing feature components.
  • It is not possible to use this plugin with the default "Any CPU" target. A specific target CPU type must be specified when building an app with this plugin.
  • ARM target CPU for Windows Mobile is no longer supported.
  • The SQLite3-WinRT component in src/windows/SQLite3-WinRT-sync is based on doo/SQLite3-WinRT commit f4b06e6 from 2012, which is missing the asynchronous C++ API improvements. There is no background processing on the Windows platform.
  • Truncation issue with UNICODE \u0000 character (same as \0)
  • INCONSISTENT error code (0) and INCORRECT error message (missing actual error info) in error callbacks ref: xpbrew/cordova-sqlite-storage#539
  • Not possible to SELECT BLOB column values directly. It is recommended to use built-in HEX function to retrieve BLOB column values, which should work consistently across all platform implementations as well as (WebKit) Web SQL. Non-standard BASE64 function to SELECT BLOB column values in Base64 format is supported by brodybits/cordova-sqlite-ext (permissive license terms) and litehelpers / Cordova-sqlite-evcore-extbuild-free (GPL or commercial license terms) with no encryption, may be supported with SQLCipher in case of sufficient demand in the future.
  • Windows platform version uses UTF-16le internal database encoding while the other platform versions use UTF-8 internal encoding. (UTF-8 internal encoding is preferred ref: xpbrew/cordova-sqlite-storage#652)
  • Known issue with database names that contain certain US-ASCII punctuation and control characters (see below)
• The macOS platform version ("osx" platform) is not tested in a release build and should be considered pre-alpha with known issues:
  • cordova prepare osx is needed before building and running from Xcode
  • known issue between cordova-osx and Cordova CLI 10.0.0: https://github.com/apache/cordova-osx/issues/106
• Android platform version:
  • Android versions supported: minimum is 4.4 (API level 19), see also: https://cordova.apache.org/docs/en/latest/guide/platforms/android/
  • SQLCipher for Android build uses the OpenSSL crypto library for encryption
  • Uses androidx.sqlite framework, requires AndroidX support to be enabled starting with cordova-android@9 ref: https://cordova.apache.org/announcements/2020/06/29/cordova-android-9.0.0.html
  • ICU case-insensitive matching and other Unicode string manipulations is no longer supported for Android.
• iOS platform version:
  • iOS versions supported: 8.x / 9.x / 10.x / 11.x / 12.x (see deviations section below for differences in case of WKWebView)
  • REGEXP is no longer supported for iOS.
• The macOS platform version ("osx" platform) is not tested in a release build and should be considered pre-alpha.
• FTS3, FTS4, and R-Tree are fully tested and supported for all target platforms in this version branch.
• Default PRAGMA journal_mode setting - tested: delete on all platforms in this plugin version
• AUTO-VACUUM is not enabled by default. If no form of VACUUM or PRAGMA auto_vacuum is used then sqlite will automatically reuse deleted data space for new data but the database file will never shrink. For reference:
  • http://www.sqlite.org/pragma.html#pragma_auto_vacuum
  • xpbrew/cordova-sqlite-storage#646
• In case of memory issues please use smaller transactions (support of evcore & evplus enhancements with SQLCipher is for future consideration)
• Pre-populatd DB is not supported by this version.
• Lawnchair adapter has not been validated with this plugin version and is NOT guaranteed to work (see below).

Announcements

• Using recent version of SQLCipher (see above) with window functions and some security updates ref:
  • brodybits/cordova-sqlcipher-adapter#94
  • xpbrew/cordova-sqlite-storage#895
  • xpbrew/cordova-sqlite-storage#867
  • xpbrew/cordova-sqlite-storage#837
• Using SQLITE_DEFAULT_SYNCHRONOUS=3 (EXTRA DURABLE) build setting to be extra robust against possible database corruption on all platforms ref: xpbrew/cordova-sqlite-storage#736
• SQLITE_DBCONFIG_DEFENSIVE flag is used for extra SQL safety on all platforms, as described above
• Recent build fixes:
  • Fixed iOS/macOS platform version to use custom version of PSPDFThreadSafeMutableDictionary.m to avoid threading issue, custom version to avoid potential conflicts with custom iOS/macOS plugins ref: xpbrew/cordova-sqlite-storage#716, xpbrew/cordova-sqlite-storage#861
  • workaround for redefinition of SYNTAX_ERR when using some other plugins ref: xpbrew/cordova-sqlite-storage#868
• Nice overview of cordova-sqlite-storage and other alternatives for storing local data (without SQLCipher) at: https://www.sitepoint.com/storing-local-data-in-a-cordova-app/
• New alternative solution for small data storage (without SQLCipher): TheCocoaProject/ cordova-plugin-nativestorage - simpler "native storage of variables" for Android/iOS/Windows
• Resolved Java 6/7/8 concurrent map compatibility issue reported in xpbrew/cordova-sqlite-storage#726, THANKS to pointer by @NeoLSN (Jason Yang/楊朝傑) in xpbrew/cordova-sqlite-storage#727.
• Updated workaround solution to BUG 666 (xpbrew/cordova-sqlite-storage#666) (possible transaction issue after window.location change with possible data loss): close database if already open before opening again
• brodybits/cordova-sqlite-ext (without SQLCipher functionality) now supports SELECT BLOB data in Base64 format on all platforms in addition to REGEXP (Android/iOS/macOS) and pre-populated database (all platforms).
• brodybits / sql-promise-helper provides a Promise-based API wrapper.
• nolanlawson / pouchdb-adapter-cordova-sqlite supports this plugin along with other implementations such as nolanlawson / sqlite-plugin-2 and Microsoft / cordova-plugin-websql.
• macOS ("osx" platform) is now supported
• New litehelpers / Cordova-sqlite-evcore-extbuild-free plugin version (WITHOUT SQLCipher support) with Android JSON and SQL statement handling implemented in C, as well as support for PhoneGap Build, Intel XDK, etc. (GPL or commercial license terms). Handles large SQL batches in less than half the time as this plugin version. Also supports arbitrary database location on Android. FOR FUTURE CONSIDERATION: evcore version with SQLCipher supported may be added upon sufficient demand.
• Published brodybits / Cordova-quick-start-checklist and brodybits / Avoiding-some-Cordova-pitfalls.
• Self-test functions to verify proper installation and operation of this plugin
• More explicit openDatabase and deleteDatabase iosDatabaseLocation option
• Added straightforward sql batch function
• PhoneGap Build is now supported through the npm package: http://phonegap.com/blog/2015/05/26/npm-plugins-available/
• MetaMemoryT / websql-promise now provides a Promises-based interface to both (WebKit) Web SQL and this plugin

Highlights

• This plugin version is built with SQLCipher included.
• Drop-in replacement for HTML5/Web SQL (DRAFT) API: the only change should be to replace the static window.openDatabase() factory call with window.sqlitePlugin.openDatabase(), with parameters as documented below. Known deviations are documented in the deviations section below.
• Failure-safe nested transactions with batch processing optimizations (according to HTML5/Web SQL (DRAFT) API)
• Transaction API (based on HTML5/Web SQL (DRAFT) API) is designed for maximum flexiblibility, does not allow any transactions to be left hanging open.
• As described in this posting:
  • Keeps sqlite database in known, platform specific user data location on all supported platforms (Android/iOS/macOS/...), which can be reconfigured on iOS/macOS. Whether or not the database on the iOS platform is synchronized to iCloud depends on the selected database location.
  • No arbitrary size limit. SQLite limits described at: http://www.sqlite.org/limits.html
• Also validated for multi-page applications by internal test selfTest function.
• This project is self-contained. There are no dependencies on other plugins such as cordova-plugin-file.
• Windows platform version (NOW DISABLED IN THIS PLUGIN VERSION) uses a customized version of the performant doo / SQLite3-WinRT C++ component.
• Intellectual property:
  • All source code is tracked to the original author in git
  • Major authors are tracked in AUTHORS.md
  • License of each component is tracked in LICENSE.md
  • History of this project is also described in HISTORY.md

TIP: It is possible to migrate from Cordova to a pure native solution and continue using the data stored by this plugin.

Getting started

Recommended prerequisites

• Install a recent version of Cordova CLI, create a simple app with no plugins, and run it on the desired target platforms.
• Add a very simple plugin such as cordova-plugin-dialogs or an echo plugin and get it working. Ideally you should be able to handle a callback with some data coming from a prompt.

These prereqisites are very well documented in a number of excellent resources including:

• http://cordova.apache.org/ (redirected from http://cordova.io)
• http://www.tutorialspoint.com/cordova/
• https://ccoenraets.github.io/cordova-tutorial/
• https://www.toptal.com/mobile/developing-mobile-applications-with-apache-cordova
• http://www.tutorialspoint.com/cordova/index.htm

More resources can be found by https://www.google.com/search?q=cordova+tutorial. There are even some tutorials available on YouTube as well.

In addition, this guide assumes a basic knowledge of some key JavaScript concepts such as variables, function calls, and callback functions. There is an excellent explanation of JavaScript callbacks at http://cwbuecheler.com/web/tutorials/2013/javascript-callbacks/.

MAJOR TIPS: As described in the Installing section:

• In case of extra-old Cordova CLI pre-7.0, it is recommended to use the --save flag when installing plugins to add them to config.xml / package.json. (This is automatic starting with Cordova CLI 7.0.)
• Assuming that all plugins are added to config.xml or package.json, there is no need to commit the plugins subdirectory tree into the source repository.
• In general it is not recommended to commit the platforms subdirectory tree into the source repository.

NOTICE: This plugin is only supported with the Cordova CLI. This plugin is not supported with other Cordova/PhoneGap systems such as PhoneGap CLI, PhoneGap Build, Plugman, Intel XDK, Webstorm, etc.

Quick installation

Use the following command to install this plugin version from the Cordova CLI:

cordova plugin add cordova-sqlcipher-adapter # --save RECOMMENDED for Cordova CLI pre-7.0

Add any desired platform(s) if not already present, for example:

cordova platform add android

OPTIONAL: prepare before building (MANDATORY for cordova-ios older than 4.3.0 (Cordova CLI 6.4.0))

cordova prepare

or to prepare for a single platform, Android for example:

cordova prepare android

Please see the Installing section for more details.

NOTE: The new brodybits / cordova-sqlite-test-app project includes the echo test, self test, and string test described below along with some more sample functions.

Self test

Try the following programs to verify successful installation and operation:

Echo test - verify successful installation and build:

document.addEventListener('deviceready', function() {
  window.sqlitePlugin.echoTest(function() {
    console.log('ECHO test OK');
  });
});

Self test - automatically verify basic database access operations including opening a database; basic CRUD operations (create data in a table, read the data from the table, update the data, and delete the data); close and delete the database:

document.addEventListener('deviceready', function() {
  window.sqlitePlugin.selfTest(function() {
    console.log('SELF test OK');
  });
});

NOTE: It may be easier to use a JavaScript or native alert function call along with (or instead of) console.log to verify that the installation passes both tests. Same for the SQL string test variations below. (Note that the Windows platform does not support the standard alert function, please use cordova-plugin-dialogs instead.)

SQL string test

This test verifies that you can open a database, execute a basic SQL statement, and get the results (should be TEST STRING):

document.addEventListener('deviceready', function() {
  var db = window.sqlitePlugin.openDatabase({name: 'test.db', key: 'user-password', location: 'default'});
  db.transaction(function(tr) {
    tr.executeSql("SELECT upper('Test string') AS upperString", [], function(tr, rs) {
      console.log('Got upperString result: ' + rs.rows.item(0).upperString);
    });
  });
});

Here is a variation that uses a SQL parameter instead of a string literal:

document.addEventListener('deviceready', function() {
  var db = window.sqlitePlugin.openDatabase({name: 'test.db', key: 'user-password', location: 'default'});
  db.transaction(function(tr) {
    tr.executeSql('SELECT upper(?) AS upperString', ['Test string'], function(tr, rs) {
      console.log('Got upperString result: ' + rs.rows.item(0).upperString);
    });
  });
});

Moving forward

It is recommended to read through the usage and sample sections before building more complex applications. In general it is recommended to start by doing things one step at a time, especially when an application does not work as expected.

The new brodybits / cordova-sqlite-test-app sample is intended to be a boilerplate to reproduce and demonstrate any issues you may have with this plugin. You may also use it as a starting point to build a new app.

In case you get stuck with something please read through the support section and follow the instructions before raising an issue. Professional support is also available by contacting: sales@xpbrew.consulting

Plugin usage examples and tutorials

Simple example:

FUTURE TODO (WANTED): samples using this plugin version (with encryption)

WITHOUT SQLCIPHER:

• brodybits / cordova-sqlite-storage-starter-app (using cordova-sqlite-storage plugin version)

Tutorials:

FUTURE TODO (WANTED): tutorials using this plugin version (with encryption)

WITHOUT SQLCIPHER:

• https://codesundar.com/cordova-sqlite-storage/ (using cordova-sqlite-storage plugin version with JQuery)

PITFALL WARNING: A number of tutorials show up in search results that use Web SQL database instead of this plugin.

WANTED: simple, working CRUD tutorial sample ref: xpbrew/cordova-sqlite-storage#795

SQLite resources

• http://www.tutorialspoint.com/sqlite/index.htm with a number of helpful articles

Some other Cordova resources

• http://www.tutorialspoint.com/cordova/cordova_file_system.htm

Some apps using Cordova SQLCipher adapter plugin version

TBD YOUR APP HERE

Security

Security of sensitive data

According to Web SQL Database API 7.2 Sensitivity of data:

User agents should treat persistently stored data as potentially sensitive; it's quite possible for e-mails, calendar appointments, health records, or other confidential documents to be stored in this mechanism.

To this end, user agents should ensure that when deleting data, it is promptly deleted from the underlying storage.

Unfortunately this plugin will not actually overwrite the deleted content unless the secure_delete PRAGMA is used.

SQL injection

As "strongly recommended" by Web SQL Database API 8.5 SQL injection:

Authors are strongly recommended to make use of the ? placeholder feature of the executeSql() method, and to never construct SQL statements on the fly.

Avoiding data loss

• Double-check that the application code follows the documented API for SQL statements, parameter values, success callbacks, and error callbacks.
• For standard Web SQL transactions include a transaction error callback with the proper logic that indicates to the user if data cannot be stored for any reason. In case of individual SQL error handlers be sure to indicate to the user if there is any issue with storing data.
• For single statement and batch transactions include an error callback with logic that indicates to the user if data cannot be stored for any reason.

Deviations

Some known deviations from the Web SQL database standard

• The window.sqlitePlugin.openDatabase static factory call takes a different set of parameters than the standard Web SQL window.openDatabase static factory call. In case you have to use existing Web SQL code with no modifications please see the Web SQL replacement tip below.
• This plugin does not support the database creation callback or standard database versions. Please read the Database schema versions section below for tips on how to support database schema versioning.
• This plugin does not support the synchronous Web SQL interfaces.
• Known issues with handling of certain ASCII/UNICODE characters as described below.
• It is possible to request a SQL statement list such as "SELECT 1; SELECT 2" within a single SQL statement string, however the plugin will only execute the first statement and silently ignore the others ref: xpbrew/cordova-sqlite-storage#551
• It is possible to insert multiple rows like: transaction.executeSql('INSERT INTO MyTable VALUES (?,?),(?,?)', ['Alice', 101, 'Betty', 102]); which was not supported by SQLite 3.6.19 as referenced by Web SQL (DRAFT) API section 5. The iOS WebKit Web SQL implementation seems to support this as well.
• Unlike the HTML5/Web SQL (DRAFT) API this plugin handles executeSql calls with too few parameters without error reporting. In case of too many parameters this plugin reports error code 0 (SQLError.UNKNOWN_ERR) while Android/iOS (WebKit) Web SQL correctly reports error code 5 (SQLError.SYNTAX_ERR) ref: https://www.w3.org/TR/webdatabase/#dom-sqlexception-code-syntax
• Positive and negative Infinity SQL parameter argument values are treated like null by this plugin on Android and iOS ref: xpbrew/cordova-sqlite-storage#405
• Positive and negative Infinity result values cause a crash on iOS/macOS cases ref: xpbrew/cordova-sqlite-storage#405
• Known issue(s) with of certain ASCII/UNICODE characters as described below.
• Boolean true and false values are handled by converting them to the "true" and "false" TEXT string values, same as WebKit Web SQL on Android and iOS. This does not seem to be 100% correct as discussed in: xpbrew/cordova-sqlite-storage#545
• A number of uncategorized errors such as CREATE VIRTUAL TABLE USING bogus module are reported with error code 5 (SQLError.SYNTAX_ERR) on Android/iOS/macOS by both (WebKit) Web SQL and this plugin.
• Error is reported with error code of 0 on Android and disabled Windows platforms
• In case of an issue that causes an API function to throw an exception (Android/iOS WebKit) Web SQL includes includes a code member with value of 0 (SQLError.UNKNOWN_ERR) in the exception while the plugin includes no such code member.
• This plugin supports some non-standard features as documented below.
• Results of SELECT with BLOB data such as SELECT LOWER(X'40414243') AS myresult, SELECT X'40414243' AS myresult, or reading data stored by INSERT INTO MyTable VALUES (X'40414243') are not consistent on Android or Windows. (These work with Android/iOS WebKit Web SQL and have been supported by SQLite for a number of years.)
• Whole number parameter argument values such as 42, -101, or 1234567890123 are handled as INTEGER values by this plugin on Android, iOS (default UIWebView), and Windows while they are handled as REAL values by (WebKit) Web SQL and by this plugin on iOS with WKWebView (using cordova-plugin-wkwebview-engine) or macOS ("osx"). This is evident in certain test operations such as SELECT ? as myresult or SELECT TYPEOF(?) as myresult and storage in a field with TEXT affinity.
• INTEGER, REAL, +/- Infinity, NaN, null, undefined parameter argument values are handled as TEXT string values on Android. (This is evident in certain test operations such as SELECT ? as myresult or SELECT TYPEOF(?) as myresult and storage in a field with TEXT affinity.)
• In case of invalid transaction callback arguments such as string values the plugin attempts to execute the transaction while (WebKit) Web SQL would throw an exception.
• The plugin handles invalid SQL arguments array values such as false, true, or a string as if there were no arguments while (WebKit) Web SQL would throw an exception. NOTE: In case of a function in place of the SQL arguments array WebKit Web SQL would report a transaction error while the plugin would simply ignore the function.
• In case of invalid SQL callback arguments such as string values the plugin may execute the SQL and signal transaction success or failure while (WebKit) Web SQL would throw an exception.
• In certain cases such as transaction.executeSql(null) or transaction.executeSql(undefined) the plugin throws an exception while (WebKit) Web SQL indicates a transaction failure.
• In certain cases such as transaction.executeSql() with no arguments (Android/iOS WebKit) Web SQL includes includes a code member with value of 0 (SQLError.UNKNOWN_ERR) in the exception while the plugin includes no such code member.
• If the SQL arguments are passed in an Array subclass object where the constructor does not point to Array then the SQL arguments are ignored by the plugin.
• The results data objects are not immutable as specified/implied by Web SQL (DRAFT) API section 4.5.
• This plugin version provides encryption which is NOT covered by the HTML5/Web SQL API.
• This plugin supports use of numbered parameters (?1, ?2, etc.) as documented in https://www.sqlite.org/c3ref/bind_blob.html, not supported by HTML5/Web SQL (DRAFT) API ref: Web SQL (DRAFT) API section 4.2.
• In case of UPDATE this plugin reports insertId with the result of sqlite3_last_insert_rowid() on iOS, macOS, and disabled Windows platforms while attempt to access insertId on the result set database opened by HTML5/Web SQL (DRAFT) API results in an exception.

Security of deleted data

See Security of sensitive data in the Security section above.

Other differences with WebKit Web SQL implementations

• FTS3 is not consistently supported by (WebKit) Web SQL on Android/iOS.
• FTS4 and R-Tree are not consistently supported by (WebKit) Web SQL on Android/iOS or desktop browser.
• In case of ignored INSERT OR IGNORE statement WebKit Web SQL (Android/iOS) reports insertId with an old INSERT row id value while the plugin reports insertId: undefined.
• In case of a SQL error handler that does not recover the transaction, WebKit Web SQL (Android/iOS) would incorrectly report error code 0 while the plugin would report the same error code as in the SQL error handler. (In case of an error with no SQL error handler then Android/iOS WebKit Web SQL would report the same error code that would have been reported in the SQL error hander.)
• In case a transaction function throws an exception, the message and code if present are reported by the plugin but not by (WebKit) Web SQL.
• Inconsistent error message formatting on Android (using custom build of sqlcipher/android-database-sqlcipher) (brodybits/cordova-sqlcipher-adapter#95), for example: incomplete input: , while compiling: INSERT INTO test_table .data. VALUES
• SQL error messages are inconsistent on Windows.
• There are some other differences in the SQL error messages reported by WebKit Web SQL and this plugin. NOTE that unlike the android.database.sqlite implementation on Android 4.x(+) SQLCipher for Android does not seem to include the error code in most of the error message.

Known issues

• The iOS/macOS platform versions do not support certain rapidly repeated open-and-close or open-and-delete test scenarios due to how the implementation handles background processing
• Cannot read encrypted database with CORRECT password directly after attempt to open with INCORRECT password ref: litehelpers/Cordova-sqlcipher-adapter#43
• It is possible to request a SQL statement list such as "SELECT 1; SELECT 2" within a single SQL statement string, however the plugin will only execute the first statement and silently ignore the others ref: xpbrew/cordova-sqlite-storage#551
• Execution of INSERT statement that affects multiple rows (due to SELECT cause or using TRIGGER(s), for example) reports incorrect rowsAffected on Android.
• Memory issue observed when adding a large number of records due to the JSON implementation which is improved in litehelpers / Cordova-sqlite-evcore-extbuild-free (GPL or commercial license terms)
• Infinity (positive or negative) values are not supported on Android/iOS/macOS due to issues described above including a possible crash on iOS/macOS ref: xpbrew/cordova-sqlite-storage#405
• A stability issue was reported on the iOS platform version when in use together with SockJS client such as pusher-js at the same time (see xpbrew/cordova-sqlite-storage#196). The workaround is to call sqlite functions and SockJS client functions in separate ticks (using setTimeout with 0 timeout).
• SQL errors are reported with incorrect & inconsistent error message on Windows - missing actual error info ref: xpbrew/cordova-sqlite-storage#539.
• Close/delete database bugs described below.
• When a database is opened and deleted without closing, the iOS/macOS platform version is known to leak resources.
• It is NOT possible to open multiple databases with the same name but in different locations (iOS/macOS platform version).

Some additional issues are tracked in open cordova-sqlite-storage bug-general issues and open Cordova-sqlcipher-adapter bug-general issues.

Other limitations

• The db version, display name, and size parameter values are not supported and will be ignored. (No longer supported by the API)
• Absolute and relative subdirectory path(s) are not tested or supported.
• This plugin will not work before the callback for the 'deviceready' event has been fired, as described in Usage. (This is consistent with the other Cordova plugins.)
• Extremely large records are not supported by this plugin. It is recommended to store images and similar binary data in separate files. TBD: specify maximum record. For future consideration: support in a plugin version such as litehelpers / Cordova-sqlite-evcore-extbuild-free (GPL or commercial license terms).
• This plugin version will not work within a web worker (not properly supported by the Cordova framework). Use within a web worker is supported for Android/iOS/macOS (WITHOUT SQLCipher) in litehelpers / cordova-sqlite-evmax-ext-workers-legacy-build-free (GPL or premium commercial license terms).
• In-memory database db=window.sqlitePlugin.openDatabase({name: ':memory:', ...}) is currently not supported.
• The Android platform version cannot properly support more than 100 open database files due to the threading model used.
• SQL error messages reported by Windows platform version are not consistent with Android/iOS/macOS platform versions.
• UNICODE \u2028 (line separator) and \u2029 (paragraph separator) characters are currently not supported and known to be broken on iOS, macOS, and Android platform versions due to JSON issues reported in Cordova bug CB-9435 and cordova/cordova-discuss#57. This is fixed with a workaround for iOS/macOS in: litehelpers / Cordova-sqlite-evplus-legacy-free and litehelpers / Cordova-sqlite-evplus-legacy-attach-detach-free (GPL or special commercial license terms) as well as litehelpers / cordova-sqlite-evmax-ext-workers-legacy-build-free (GPL or premium commercial license terms).
• SELECT BLOB column value type is not supported consistently across all platforms (not supported on Windows). It is recommended to use the built-in HEX function to SELECT BLOB column data in hexadecimal format, working consistently across all platforms. As an alternative: SELECT BLOB in Base64 format is supported by brodybits/cordova-sqlite-ext (permissive license terms) and litehelpers / Cordova-sqlite-evcore-extbuild-free (GPL or commercial license options).
• Database files with certain multi-byte UTF-8 characters are not tested and not expected to work consistently across all platform implementations.
• Issues with UNICODE \u0000 character (same as \0):
  • Encoding issue reproduced on Android (default Android-sqlite-connector implementation with Android-sqlite-ext-native-driver, using Android NDK)
  • Truncation in case of argument value with UNICODE \u0000 character reproduced on (WebKit) Web SQL as well as plugin on Android (default Android-sqlite-connector implementation with Android-sqlite-ext-native-driver, using Android NDK) and Windows
  • SQL error reported in case of inline value string with with UNICODE \u0000 character on (WebKit) Web SQL, plugin on Android with use of the androidDatabaseProvider: 'system' setting, and plugin on some other platforms
• Case-insensitive matching and other string manipulations on Unicode characters, which is provided by optional ICU integration in the sqlite source and working with recent versions of Android, is not supported for any target platforms.
• The iOS/macOS platform version uses a thread pool but with only one thread working at a time due to "synchronized" database access.
• Some large query results may be slow, also due to the JSON implementation.
• ATTACH to another database file is not supported by this version branch. ATTACH/DETACH is supported (along with the memory and iOS UNICODE \u2028 line separator / \u2029 paragraph separator fixes, WITHOUT SQLCipher) in litehelpers / Cordova-sqlite-evplus-legacy-attach-detach-free (GPL or special commercial license terms).
• UPDATE/DELETE with LIMIT or ORDER BY is not supported.
• User-defined savepoints are not supported and not expected to be compatible with the transaction locking mechanism used by this plugin. In addition, the use of BEGIN/COMMIT/ROLLBACK statements is not supported.
• Issues have been reported with using this plugin together with Crosswalk for Android, especially on x86_64 CPU (xpbrew/cordova-sqlite-storage#336). Please see xpbrew/cordova-sqlite-storage#336 (comment) for workaround on x64 CPU. In addition it may be helpful to install Crosswalk as a plugin instead of using Crosswalk to create a project that will use this plugin.
• Does not work with axemclion / react-native-cordova-plugin since the window.sqlitePlugin object is NOT properly exported (ES5 feature). It is recommended to use andpor / react-native-sqlite-storage for SQLite database access with React Native Android/iOS instead.
• Does not support named parameters (?NNN/:AAA/@AAAA/$AAAA parameter placeholders as documented in https://www.sqlite.org/lang_expr.html#varparam and https://www.sqlite.org/c3ref/bind_blob.html) ref: xpbrew/cordova-sqlite-storage#717
• User defined functions not supported, due to problems described in xpbrew/cordova-sqlite-storage#741

Additional limitations are tracked in cordova-sqlite-help doc-todo issues, cordova-sqlite-storage doc-todo issues, and cordova-sqlcipher-adapter doc-todo issues.

Further testing needed

• Integration with PhoneGap developer app
• Use within InAppBrowser
• Use within an iframe (see xpbrew/cordova-sqlite-storage#368 (comment))
• Date/time handling
• Maximum record size supported
• Actual behavior when using SAVEPOINT(s)
• R-Tree is not fully tested with Android
• UNICODE characters not fully tested
• ORDER BY RANDOM() (ref: xpbrew/cordova-sqlite-storage#334)
• UPDATE/DELETE with LIMIT or ORDER BY (newer Android/iOS versions)
• Integration with JXCore for Cordova (must be built without sqlite(3) built-in)
• Delete an open database inside a statement or transaction callback.
• WITH clause (not supported by some older sqlite3 versions)
• Handling of invalid transaction and transaction.executeSql arguments
• Use of database locations on macOS
• Extremely large and small INTEGER and REAL values ref: xpbrew/cordova-sqlite-storage#627
• More emojis and other 4-octet UTF-8 characters
• More database file names with some more control characters and multi-byte UTF-8 characters (including emojis and other 4-byte UTF-8 characters)
• Use of numbered parameters (?1, ?2, etc.) as documented in https://www.sqlite.org/c3ref/bind_blob.html
• Use of ?NNN/:AAA/@AAAA/$AAAA parameter placeholders as documented in https://www.sqlite.org/lang_expr.html#varparam and https://www.sqlite.org/c3ref/bind_blob.html) (currently NOT supported by this plugin) ref: xpbrew/cordova-sqlite-storage#717
• Single-statement and SQL batch transaction calls with invalid arguments (TBD behavior subject to change)
• Plugin vs (WebKit) Web SQL transaction behavior in case of an error handler which returns various falsy vs truthy values
• Other open Cordova-sqlite-storage testing issues and open cordova-sqlcipher-adapter testing issues

Some tips and tricks

• In case of issues with code that follows the asynchronous Web SQL transaction API, it is possible to test with a test database using window.openDatabase for comparison with (WebKit) Web SQL.
• In case your database schema may change, it is recommended to keep a table with one row and one column to keep track of your own schema version number. It is possible to add it later. The recommended schema update procedure is described below.

Pitfalls

Extremely common pitfall(s)

IMPORTANT: A number of tutorials and samples in search results suffer from the following pitfall:

• If a database is opened using the standard window.openDatabase call it will not have any of the benefits of this plugin and features such as the sqlBatch call would not be available.

Common update pitfall(s)

• Updates such as database schema changes, migrations from use of Web SQL, migration between data storage formats must be handled with extreme care. It is generally extremely difficult or impossible to predict when users will install application updates. Upgrades from old database schemas and formats must be supported for a very long time.

Other common pitfall(s)

• It is NOT allowed to execute sql statements on a transaction that has already finished, as described below. This is consistent with the HTML5/Web SQL (DRAFT) API.
• The plugin class name starts with "SQL" in capital letters, but in Javascript the sqlitePlugin object name starts with "sql" in small letters.
• Attempting to open a database before receiving the 'deviceready' event callback.
• Inserting STRING into ID field
• Auto-vacuum is NOT enabled by default. It is recommended to periodically VACUUM the database. If no form of VACUUM or PRAGMA auto_vacuum is used then sqlite will automatically reuse deleted data space for new data but the database file will never shrink. For reference: http://www.sqlite.org/pragma.html#pragma_auto_vacuum and xpbrew/cordova-sqlite-storage#646
• Transactions on a database are run sequentially. A large transaction could block smaller transactions requested afterwards.

Some weird pitfall(s)

• intent whitelist: blocked intent such as external URL intent may cause this and perhaps certain Cordova plugin(s) to misbehave (see xpbrew/cordova-sqlite-storage#396)

Angular/ngCordova/Ionic-related pitfalls

• Angular/ngCordova/Ionic controller/factory/service callbacks may be triggered before the 'deviceready' event is fired
• As discussed in xpbrew/cordova-sqlite-storage#355, it may be necessary to install ionic-plugin-keyboard
• Navigation items such as root page can be tricky on Ionic 2 ref: xpbrew/cordova-sqlite-storage#613

General Cordova pitfalls

Documented in: brodybits / Avoiding-some-Cordova-pitfalls

General SQLite pitfalls

From https://www.sqlite.org/datatype3.html#section_1:

SQLite uses a more general dynamic type system.

This is generally nice to have, especially in conjunction with a dynamically typed language such as JavaScript. Here are some major SQLite data typing principles:

• From https://www.sqlite.org/datatype3.html#section_3: the CREATE TABLE SQL statement declares each column with one of the following type affinities: TEXT, NUMERIC, INTEGER, REAL, or BLOB.
• From https://www.sqlite.org/datatype3.html#section_3_1 with column type affinity determination rules: it should be possible to do CREATE TABLE with columns of almost any type name (for example: CREATE TABLE MyTable (data ABC);) and each column type affinity is determined according to pattern matching. If a declared column type name does not match any of the patterns the column has NUMERIC affinity.
• From https://www.sqlite.org/datatype3.html#section_3_2: a column with no data type name specified actually gets the BLOB affinity.

However there are some possible gotchas:

1. From https://www.sqlite.org/datatype3.html#section_3_2:

   Note that a declared type of "FLOATING POINT" would give INTEGER affinity, not REAL affinity, due to the "INT" at the end of "POINT". And the declared type of "STRING" has an affinity of NUMERIC, not TEXT.

2. From ibid: a column declared as "DATETIME" has NUMERIC affinity, which gives no hint whether an INTEGER Unix time value, a REAL Julian time value, or possibly even a TEXT ISO8601 date/time string may be stored (further refs: https://www.sqlite.org/datatype3.html#section_2_2, https://www.sqlite.org/datatype3.html#section_3)

From https://groups.google.com/forum/#!topic/phonegap/za7z51_fKRw, as discussed in xpbrew/cordova-sqlite-storage#546: it was discovered that are some more points of possible confusion with date/time. For example, there is also a datetime function that returns date/time in TEXT string format. This should be considered a case of "DATETIME" overloading since SQLite is not case sensitive. This could really become confusing if different programmers or functions consider date/time to be stored in different ways.

FUTURE TBD: Proper date/time handling will be further tested and documented at some point.

Major TODOs

• More formal documentation of API, especially for non-standard functions
• ~~Browser platform (likely without actual encryption if SQL.js is used as discussed in [litehelpers/Cordova-sqlite-stora