本文介绍了SQL查询字符串中的Android报价的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我想执行类似下面的查询:
I want to perform a query like the following:
uvalue = EditText( some user value ); p_query = "select * from mytable where name_field = '" + uvalue + "'" ; mDb.rawQuery( p_query, null );如果用户输入一个单引号中的投入崩溃。如果您将其更改为:
if the user enters a single quote in their input it crashes. If you change it to:
p_query = "select * from mytable where name_field = \"" + uvalue + "\"" ;
崩溃,如果用户输入的输入双引号。 当然,他们可以随时进入单引号和双引号。
it crashes if the user enters a double quote in their input. and of course they could always enter both single and double quotes.
推荐答案您应该利用 rawQuery 方法的的 selectionArgs两个参数:
You should make use of the rawQuery method's selectionArgs parameter:
p_query = "select * from mytable where name_field = ?"; mDb.rawQuery(p_query, new String[] { uvalue });这不仅解决了您的报价问题,而且还能够减轻 SQL注入 。
This not only solves your quotes problem but also mitigates SQL Injection.
更多推荐
SQL查询字符串中的Android报价
发布评论