It's an abstraction, to be sure, but it also protects you from malicious SQL injection. Forming raw SQL statements, especially from user input, allows users to hack the sense of your statement in truly "evil" ways.
Using query() avoids this. All of the parameters of the query are passed in as arguments. No strings are concatenated, and no statement compilation is done. There's no way for the user to inject malicious SQL. Notice the ContentResolver.query() method. It has both a "selection" and "selectionArgs" parameter. To be safe, use the "selection" argument for column names and operators, and put the values to compare to in "selectionArgs". The values are inserted into the "selection" clause without concatenation, so no SQL injection can occur. On Wednesday, April 25, 2012 2:44:39 PM UTC-7, MagouyaWare wrote: > > This is an abstraction so you don't have to build the SQL query yourself. > If you want more flexibility you can use the rawQuery() method: > > http://developer.android.com/reference/android/database/sqlite/SQLiteDatabase.html#rawQuery%28java.lang.String,%20java.lang.String[]%29 > > Thanks, > Justin Anderson > MagouyaWare Developer > http://sites.google.com/site/magouyaware > > > On Wed, Apr 25, 2012 at 3:38 PM, g...@deanblakely.com < > g...@deanblakely.com> wrote: > >> I'm learning SQLLite using the NotePad tutorial appication. The code >> pasted below is very strange to me. I'm used to using SQL i.e. Select >> KEY_ROWID, KEY_TITLE, KEY_BODY from DATABASE_TABLE >> WHERE BLAH BLAH BLAH. >> >> One of the nice things about SQL is that it is pretty much the same >> between the platforms so when a developer has to learn a new platform, >> such as Android, the SQL is the same. >> >> What's going on? Why don't you use SQL? >> Thanks, >> Gary >> >> public Cursor fetchNote(long rowId) throws SQLException { >> >> Cursor mCursor = >> >> mDb.query(true, DATABASE_TABLE, new String[] {KEY_ROWID, >> KEY_TITLE, KEY_BODY}, KEY_ROWID + "=" + rowId, >> null, >> null, null, null, null); >> if (mCursor != null) { >> mCursor.moveToFirst(); >> } >> return mCursor; >> >> } >> >> -- >> You received this message because you are subscribed to the Google >> Groups "Android Developers" group. >> To post to this group, send email to android-developers@googlegroups.com >> To unsubscribe from this group, send email to >> android-developers+unsubscr...@googlegroups.com >> For more options, visit this group at >> http://groups.google.com/group/android-developers?hl=en >> > > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
