Wednesday, April 25, 2012

Re: [android-developers] newbie SQL Light Question

On Wed, Apr 25, 2012 at 7:03 PM, A. Elk <lancaster.dambusters@gmail.com> wrote:
> Using query() avoids this. All of the parameters of the query are passed in
> as arguments. No strings are concatenated, and no statement compilation is
> done. There's no way for the user to inject malicious SQL.

Nonsense. Heck, I'll even throw in "balderdash".

On SQLiteDatabase, query() eventually calls queryWithFactory(), which
creates the full SQL statement via
SQLiteQueryBuilder.buildQueryString()... which does concatenation.

--
Mark Murphy (a Commons Guy)
http://commonsware.com | http://github.com/commonsguy
http://commonsware.com/blog | http://twitter.com/commonsguy

Android App Developer Books: http://commonsware.com/books

--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en

posted by twitter @ 4:15 PM   0 Comments

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home


Real Estate