On Wed, Apr 25, 2012 at 7:03 PM, A. Elk <lancaster.dambust...@gmail.com> wrote: > Using query() avoids this. All of the parameters of the query are passed in > as arguments. No strings are concatenated, and no statement compilation is > done. There's no way for the user to inject malicious SQL.
Nonsense. Heck, I'll even throw in "balderdash". On SQLiteDatabase, query() eventually calls queryWithFactory(), which creates the full SQL statement via SQLiteQueryBuilder.buildQueryString()... which does concatenation. -- Mark Murphy (a Commons Guy) http://commonsware.com | http://github.com/commonsguy http://commonsware.com/blog | http://twitter.com/commonsguy Android App Developer Books: http://commonsware.com/books -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
