2013년 6월 17일 월요일

SQLite Parameterized statement, rawQuery()

이전 블로그에서 이전 함 (원본 글 2013/06/17 작성)

Android SQLite 사용 중 rawQuery의 arguments를 사용할 필요가 있을까 했는데..

public Cursor rawQuery (String sql, String[] selectionArgs)


찾다 보니 아래와 같은 의견이 있었음.


You should make use of the rawQuery method's selectionArgs parameter:
p_query = "select * from mytable where name_field = ?";
mDb.rawQuery(p_query, new String[] { uvalue });
This not only solves your quotes problem but also mitigates SQL Injection.
share|improve this answer
3 
I wish I could upmod this more than once! – jrockway Aug 18 '09 at 20:52
1 
It is also much faster because Sqlite doesn't have to parse every sql statement. – tuinstoel Aug 19 '09 at 20:33
12 
Indeed, you should use query arguments. However, you can also use the DatabaseUtils to escape strings, if needed. For instance, DatabaseUtils.sqlEscapeString(). It's not the best way, but it's available. Could be useful if you're trying to pass a raw SQL statement over to something external. – lilbyrdie Aug 22 '09 at 15:50
1 
@lilbyrdie: thanks! As one can't bind vectors of strings for use with the IN operator, sqlEscapeSting() was just what I needed! – Steve Pomeroy Jan 13 '11 at 22:33
This doesn't work as well as you'd think. If you use a string like this it breaks: "sample " string ' that breaks stuff" – Christopher Perry Aug 24 '12 at 3:20


Wikipedia에서 찾아보니.
SQL injection attack의 방지법으로 하나로 소개되어 있음..

댓글 없음:

댓글 쓰기