SQLiteDatabase.query方法 [英] SQLiteDatabase.query method
问题描述
我使用SQLiteDatabase的查询方法。如何使用查询方法?
I am using the query method of SQLiteDatabase. How do I use the query method?
我尝试这样做:
Cursor cursor = sqLiteDatabase.query(
tableName, tableColumns, whereClause, whereArgs, groupBy, having, orderBy);
TableColumn来 - 列参数的构造如下。
tableColumns - columns parameter is constructed as follows.
String[] columns = new String[]{KEY_ID, KEY_CONTENT};
如果我们需要让所有的领域,应该如何列参数来构建。我们需要以包括String数组的所有字段名?
If we need to get all the fields, how should the column parameter to be constructed. Do we need to include all the Field Names in String array?
我如何正确使用查询方法?
How do I properly use the query method?
推荐答案
TableColumn来
-
空所有列在SELECT * FROM ... -
新的String [] {列1,列2,...}为特定的列在选择列1,列2 FROM。 ..- 你也可以把复杂的EX pressions这里:
新的String [] {(SELECT MAX(列1)FROM表1)为max}会给你一个名为最大列控股列1
nullfor all columns as inSELECT * FROM ...new String[] { "column1", "column2", ... }for specific columns as inSELECT column1, column2 FROM ...- you can also put complex expressions here:
new String[] { "(SELECT max(column1) FROM table1) AS max" }would give you a column namedmaxholding the max value ofcolumn1
whereClause
- 您在
,其中把没有该关键字的部分,如列1→5 - 应该包括
?的东西是动态的,例如:列1 =?- >见whereArgs
- the part you put after
WHEREwithout that keyword, e.g."column1 > 5" - should include
?for things that are dynamic, e.g."column1=?"-> seewhereArgs
whereArgs
- 指定填充内容的每个
?在whereClause中出现的顺序
- specify the content that fills each
?inwhereClausein the order they appear
其他
- 就像
whereClause关键字或空如果你不使用它。
- just like
whereClausethe statement after the keyword ornullif you don't use it.
示例
String[] tableColumns = new String[] {
"column1",
"(SELECT max(column1) FROM table2) AS max"
};
String whereClause = "column1 = ? OR column1 = ?";
String[] whereArgs = new String[] {
"value1",
"value2"
};
String orderBy = "column1";
Cursor c = sqLiteDatabase.query("table1", tableColumns, whereClause, whereArgs,
null, null, orderBy);
// since we have a named column we can do
int idx = c.getColumnIndex("max");
是等效于以下原始查询
is equivalent to the following raw query
String queryString =
"SELECT column1, (SELECT max(column1) FROM table1) AS max FROM table1 " +
"WHERE column1 = ? OR column1 = ? ORDER BY column1";
sqLiteDatabase.rawQuery(queryString, whereArgs);
通过使用Where /绑定-args版本可以自动获得转义的值,你不必如果输入数据中包含的后顾之忧。
不安全:字符串whereClause =列1 ='+价值+';
安全:字符串whereClause =?列1 =;
Unsafe: String whereClause = "column1='" + value + "'";
Safe: String whereClause = "column1=?";
因为如果值中包含您的发言无论是休息,你会得到异常或根本意想不到的东西,例如值=XYZ'; DROP表table1; - 甚至可能会放弃你的表,因为该语句将成为两个语句和注释:
because if value contains a ' your statement either breaks and you get exceptions or does unintended things, for example value = "XYZ'; DROP TABLE table1;--" might even drop your table since the statement would become two statements and a comment:
SELECT * FROM table1 where column1='XYZ'; DROP TABLE table1;--'
使用的args版本 XYZ; DROP TABLE表1; - 将逃到'XYZ''; DROP TABLE表1; - ,只会被视为一个值。即使不打算做坏事它仍然是相当普遍的,人们有它自己的名字或者用它在文本,文件名,密码等,因此请务必使用在ARGS版本。 (这是正常建立 INT 等原语直接进入 whereClause 虽然)
using the args version XYZ'; DROP TABLE table1;-- would be escaped to 'XYZ''; DROP TABLE table1;--' and would only be treated as a value. Even if the ' is not intended to do bad things it is still quite common that people have it in their names or use it in texts, filenames, passwords etc. So always use the args version. (It is okay to build int and other primitives directly into whereClause though)
这篇关于SQLiteDatabase.query方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
