Generally do not use query directly as string.
Android have default classes so we can use those function to prevent sql injection.
For ex,
To get records from db and suppose you have joins or sub query so default 'query' may no use in such case we will use following funcitons.
If we have "IN" clause in sql statement then we may use it following way.
For insert,update and delete we may use default following functions
Android have default classes so we can use those function to prevent sql injection.
For ex,
To get records from db and suppose you have joins or sub query so default 'query' may no use in such case we will use following funcitons.
String sql = "select *,(select type from table 2 where table2.type=? limit 1) as type from table1 where table1.name like ?";
DatabaseHelper databaseHelper = new DatabaseHelper(getApplicationContext());
SQLiteDatabase sqLiteDatabase = databaseHelper.getWritableDatabase();
Cursor c = sqLiteDatabase.rawQuery(sql, new String[]{"car","m%"});
If we have "IN" clause in sql statement then we may use it following way.
String[] names = { "name1", "name2" }; // do whatever is needed first
String query = "SELECT * FROM table"
+ " WHERE name IN (" + TextUtils.join(",", Collections.nCopies(names.length, "?")) + ")";
Cursor cursor = mDb.rawQuery(query, names);
For insert,update and delete we may use default following functions
insert (String table, String nullColumnHack, ContentValues values) ; update (String table, ContentValues values, String whereClause, String[] whereArgs); delete(String table, String whereClause, String[] whereArgs) query(String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit) // we may use it for simple SELECT query
No comments :
Post a Comment