Re: [android-developers] newbie SQL Light Question

It's an abstraction, to be sure, but it also protects you from malicious SQL injection. Forming raw SQL statements, especially from user input, allows users to hack the sense of your statement in truly "evil" ways.

Using query() avoids this. All of the parameters of the query are passed in as arguments. No strings are concatenated, and no statement compilation is done. There's no way for the user to inject malicious SQL.

Notice the ContentResolver.query() method. It has both a "selection" and "selectionArgs" parameter. To be safe, use the "selection" argument for column names and operators, and put the values to compare to in "selectionArgs". The values are inserted into the "selection" clause without concatenation, so no SQL injection can occur.

On Wednesday, April 25, 2012 2:44:39 PM UTC-7, MagouyaWare wrote:

This is an abstraction so you don't have to build the SQL query yourself.  If you want more flexibility you can use the rawQuery() method:
http://developer.android.com/reference/android/database/sqlite/SQLiteDatabase.html#rawQuery%28java.lang.String,%20java.lang.String[]%29

Thanks,
Justin Anderson
MagouyaWare Developer
http://sites.google.com/site/magouyaware

On Wed, Apr 25, 2012 at 3:38 PM, gary@deanblakely.com <gary@deanblakely.com> wrote:

I'm learning SQLLite using the NotePad tutorial appication.  The code
pasted below is very strange to me.  I'm used to using SQL i.e. Select
KEY_ROWID, KEY_TITLE, KEY_BODY from DATABASE_TABLE
WHERE BLAH BLAH BLAH.

One of the nice things about SQL is that it is pretty much the same
between the platforms so when a developer has to learn a new platform,
such as Android, the SQL is the same.

What's going on?  Why don't you use SQL?
Thanks,
Gary

  public Cursor fetchNote(long rowId) throws SQLException {

       Cursor mCursor =

           mDb.query(true, DATABASE_TABLE, new String[] {KEY_ROWID,
                   KEY_TITLE, KEY_BODY}, KEY_ROWID + "=" + rowId,
null,
                   null, null, null, null);
       if (mCursor != null) {
           mCursor.moveToFirst();
       }
       return mCursor;

   }

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en