Hi Andy, If you use whereArgs or selectionArgs the values don't need to be escaped because they bypass the SQL parsing phase entirely. That's the preferred way to do things. If you don't want to do that, or can't for various reasons, you can use DatabaseUtils.appendEscapedSQLString, or DatabaseUtils.sqlEscapeString.
Thanks, Megha On Mon, Apr 7, 2008 at 12:10 PM, Andy <[EMAIL PROTECTED]> wrote: > > Hi all > > When using the SQLite functions in the Android API is there a way to > escape special character in a string before using it in a query? > > I am a little worried about forming queries using code such as > "... FIELD=\"" + value + "\" ... " > in case the value contains special characters. Not escaping values > properly can result in SQL Injection Vulnerabilities is data is from > untrusted sources, and we certainly would not want that! > > Does the whereArgs in the update method call get escaped automatically? > Does this apply to Strings passed to ConentValues as well? > > Thanks > > Andy > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
