我想执行类似下面的查询:
I want to perform a query like the following:
uvalue = EditText( some user value );
p_query = "select * from mytable where name_field = '" + uvalue + "'" ;
mDb.rawQuery( p_query, null );
如果用户输入一个单引号中的投入崩溃。如果您将其更改为:
if the user enters a single quote in their input it crashes. If you change it to:
p_query = "select * from mytable where name_field = \"" + uvalue + "\"" ;
崩溃,如果用户输入的输入双引号。 当然,他们可以随时进入单引号和双引号。
it crashes if the user enters a double quote in their input. and of course they could always enter both single and double quotes.
您应该利用 rawQuery
方法的的 selectionArgs两个
参数:
You should make use of the rawQuery
method's selectionArgs
parameter:
p_query = "select * from mytable where name_field = ?";
mDb.rawQuery(p_query, new String[] { uvalue });
这不仅解决了您的报价问题,而且还能够减轻 SQL注入
。
This not only solves your quotes problem but also mitigates SQL Injection
.