String concatenation, yes, SQL statement compilation, yes.
However, query() does not inject query arguments into the query string.
The ? argument notation is preserved and arguments are bound and passed
into SQLite as, well, arguments.
-- K
26 апреля 2012 г. 3:15 пользователь Mark Murphy
2012/4/26 Kostya Vasilyev kmans...@gmail.com:
String concatenation, yes, SQL statement compilation, yes.
However, query() does not inject query arguments into the query string.
The ? argument notation is preserved and arguments are bound and passed
into SQLite as, well, arguments.
Correct.
On Thu, Apr 26, 2012 at 12:46 AM, Justin Anderson magouyaw...@gmail.com wrote:
You ALWAYS need to guard against SQL injection attacks if you are forming
your query based on user input...
If that user input might come from another program, yes (e.g.,
exported ContentProvider).
If the only way
I'm learning SQLLite using the NotePad tutorial appication. The code
pasted below is very strange to me. I'm used to using SQL i.e. Select
KEY_ROWID, KEY_TITLE, KEY_BODY from DATABASE_TABLE
WHERE BLAH BLAH BLAH.
One of the nice things about SQL is that it is pretty much the same
between the
This is an abstraction so you don't have to build the SQL query yourself.
If you want more flexibility you can use the rawQuery() method:
http://developer.android.com/reference/android/database/sqlite/SQLiteDatabase.html#rawQuery%28java.lang.String,%20java.lang.String[]%29
Thanks,
Justin Anderson
It's an abstraction, to be sure, but it also protects you from malicious
SQL injection. Forming raw SQL statements, especially from user input,
allows users to hack the sense of your statement in truly evil ways.
Using query() avoids this. All of the parameters of the query are passed in
as
On Wed, Apr 25, 2012 at 7:03 PM, A. Elk lancaster.dambust...@gmail.com wrote:
Using query() avoids this. All of the parameters of the query are passed in
as arguments. No strings are concatenated, and no statement compilation is
done. There's no way for the user to inject malicious SQL.
You ALWAYS need to guard against SQL injection attacks if you are forming
your query based on user input...
Thanks,
Justin Anderson
MagouyaWare Developer
http://sites.google.com/site/magouyaware
On Wed, Apr 25, 2012 at 5:15 PM, Mark Murphy mmur...@commonsware.comwrote:
On Wed, Apr 25, 2012 at
8 matches
Mail list logo
