我想执行类似下面的查询：

I want to perform a query like the following:

uvalue = EditText( some user value );
p_query = "select * from mytable where name_field = '" +  uvalue + "'" ;
mDb.rawQuery( p_query, null );

如果用户输入一个单引号中的投入崩溃。如果您将其更改为：

if the user enters a single quote in their input it crashes. If you change it to:

p_query = "select * from mytable where name_field = \"" +  uvalue + "\"" ;

崩溃，如果用户输入的输入双引号。 当然，他们可以随时进入单引号和双引号。

it crashes if the user enters a double quote in their input. and of course they could always enter both single and double quotes.

推荐答案

您应该利用 rawQuery 方法的的 selectionArgs两个参数：

You should make use of the rawQuery method's selectionArgs parameter:

p_query = "select * from mytable where name_field = ?";
mDb.rawQuery(p_query, new String[] { uvalue });

这不仅解决了您的报价问题，而且还能够减轻 SQL注入 。

This not only solves your quotes problem but also mitigates SQL Injection.