String concatenation, yes, SQL statement compilation, yes. However, query() does not inject query arguments into the query string.
The "?" argument notation is preserved and arguments are bound and passed into SQLite as, well, arguments. -- K 26 апреля 2012 г. 3:15 пользователь Mark Murphy <mmur...@commonsware.com>написал: > On Wed, Apr 25, 2012 at 7:03 PM, A. Elk <lancaster.dambust...@gmail.com> > wrote: > > Using query() avoids this. All of the parameters of the query are passed > in > > as arguments. No strings are concatenated, and no statement compilation > is > > done. There's no way for the user to inject malicious SQL. > > Nonsense. Heck, I'll even throw in "balderdash". > > On SQLiteDatabase, query() eventually calls queryWithFactory(), which > creates the full SQL statement via > SQLiteQueryBuilder.buildQueryString()... which does concatenation. > > -- > Mark Murphy (a Commons Guy) > http://commonsware.com | http://github.com/commonsguy > http://commonsware.com/blog | http://twitter.com/commonsguy > > Android App Developer Books: http://commonsware.com/books > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to android-developers@googlegroups.com > To unsubscribe from this group, send email to > android-developers+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
