sql查询字符串中的Android引号 [英] Android quotes within an sql query string
本文介绍了sql查询字符串中的Android引号的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我想执行如下查询:
uvalue = EditText( some user value );
p_query = "select * from mytable where name_field = '" + uvalue + "'" ;
mDb.rawQuery( p_query, null );
如果用户在输入中输入单引号,它会崩溃.如果您将其更改为:
if the user enters a single quote in their input it crashes. If you change it to:
p_query = "select * from mytable where name_field = "" + uvalue + """ ;
如果用户在输入中输入双引号,它会崩溃.当然,他们总是可以同时输入单引号和双引号.
it crashes if the user enters a double quote in their input. and of course they could always enter both single and double quotes.
推荐答案
你应该使用 rawQuery 方法的 selectionArgs 参数:
You should make use of the rawQuery method's selectionArgs parameter:
p_query = "select * from mytable where name_field = ?";
mDb.rawQuery(p_query, new String[] { uvalue });
这不仅解决了您的引用问题,还减轻了SQL 注入.
This not only solves your quotes problem but also mitigates SQL Injection.
这篇关于sql查询字符串中的Android引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
