2012/4/26 Kostya Vasilyev <kmans...@gmail.com>: > String concatenation, yes, SQL statement compilation, yes. > > However, query() does not inject query arguments into the query string. > > The "?" argument notation is preserved and arguments are bound and passed > into SQLite as, well, arguments.
Correct. So does rawQuery(). So does SQLiteQueryBuilder. IOW, query() does not materially improve security. If you need to synthesize your SELECT statement anyway, query() or SQLiteQueryBuilder make sense. If you ordinarily would just use raw SQL with positional parameters, then use rawQuery(). -- Mark Murphy (a Commons Guy) http://commonsware.com | http://github.com/commonsguy http://commonsware.com/blog | http://twitter.com/commonsguy Android Training in NYC: http://marakana.com/training/android/ -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
