On Thu, Apr 26, 2012 at 12:46 AM, Justin Anderson wrote:
> You ALWAYS need to guard against SQL injection attacks if you are forming
> your query based on user input...
If that "user input" might come from another program, yes (e.g.,
exported ContentProvider).
If the only way queries are execute
2012/4/26 Kostya Vasilyev :
> String concatenation, yes, SQL statement compilation, yes.
>
> However, query() does not inject query arguments into the query string.
>
> The "?" argument notation is preserved and arguments are bound and passed
> into SQLite as, well, arguments.
Correct. So does raw
String concatenation, yes, SQL statement compilation, yes.
However, query() does not inject query arguments into the query string.
The "?" argument notation is preserved and arguments are bound and passed
into SQLite as, well, arguments.
-- K
26 апреля 2012 г. 3:15 пользователь Mark Murphy
напи
You ALWAYS need to guard against SQL injection attacks if you are forming
your query based on user input...
Thanks,
Justin Anderson
MagouyaWare Developer
http://sites.google.com/site/magouyaware
On Wed, Apr 25, 2012 at 5:15 PM, Mark Murphy wrote:
> On Wed, Apr 25, 2012 at 7:03 PM, A. Elk
> wro
On Wed, Apr 25, 2012 at 7:03 PM, A. Elk wrote:
> Using query() avoids this. All of the parameters of the query are passed in
> as arguments. No strings are concatenated, and no statement compilation is
> done. There's no way for the user to inject malicious SQL.
Nonsense. Heck, I'll even throw in
It's an abstraction, to be sure, but it also protects you from malicious
SQL injection. Forming raw SQL statements, especially from user input,
allows users to hack the sense of your statement in truly "evil" ways.
Using query() avoids this. All of the parameters of the query are passed in
as a
This is an abstraction so you don't have to build the SQL query yourself.
If you want more flexibility you can use the rawQuery() method:
http://developer.android.com/reference/android/database/sqlite/SQLiteDatabase.html#rawQuery%28java.lang.String,%20java.lang.String[]%29
Thanks,
Justin Anderson
I'm learning SQLLite using the NotePad tutorial appication. The code
pasted below is very strange to me. I'm used to using SQL i.e. Select
KEY_ROWID, KEY_TITLE, KEY_BODY from DATABASE_TABLE
WHERE BLAH BLAH BLAH.
One of the nice things about SQL is that it is pretty much the same
between the plat
8 matches
Mail list logo
