Queries with prepared statements in Android?

by

a prepared statement allows you to do two things

  • speed up the performance since the database does not need to parse the statement each time
  • bind & escape arguments in the statement so you are save against injection attacks

I don’t know exactly where/when Androids SQLite implementation actually uses sqlite3_prepare (afiak not sqlite3_prepare_v2 – see here) but it does use it otherwise you could not get Reached MAX size for compiled-sql statement cache errors.

So if you want to query the database you have to rely on the implementation there is no way I know of to do it with SQLiteStatement.

Regarding the injection safety, every database query, insert, etc method has (sometimes alternative) versions that allow you to bind arguments.

E.g. if you want to get a Cursor out of 

SELECT * FROM table WHERE column1='value1' OR column2='value2'

Cursor SQLiteDatabase#rawQuery(

  • String sql, : full SELECT statment which can include ? everywhere
  • String[] selectionArgs : list of values that replace ?, in order they appear

)

Cursor c1 = db.rawQuery(
    "SELECT * FROM table WHERE column1=? OR column2=?",
    new String[] {"value1", "value2"}
);

Cursor SQLiteDatabase#query (

  • String table, : table name, can include JOIN etc
  • String[] columns, : list of the columns required, null = *
  • String selection, : WHERE clause withouth WHERE can / should include ?
  • String[] selectionArgs, : list of values that replace ?, in order they appear
  • String groupBy, : GROUP BY clause w/o GROUP BY
  • String having, : HAVING clause w/o HAVING
  • String orderBy : ORDER BY clause w/o ORDER BY

)

Cursor c2 = db.query("table", null, 
     "column1=? OR column2=?", 
      new String[] {"value1", "value2"},
      null, null, null);

Via ContentProviders – that case is slightly different since you interact with an abstract provider, not a database. There is acutally no guarantee that there is a sqlite database backing the ContentProvider. So unless you know what columns there are / how the provider works internally you should stick to what the documentation says.

Cursor ContentResolver#query(

  • Uri uri, : an URI representing the data source (internally translated to a table)
  • String[] projection, : list of the columns required, null = *
  • String selection, : WHERE clause withouth WHERE can / should include ?
  • String[] selectionArgs, : list of values that replace ?, in order they appear
  • String sortOrder : ORDER BY clause w/o ORDER BY

)

Cursor c3 = getContentResolver().query(
     Uri.parse("content://provider/table"), null,
     "column=? OR column2=?", 
      new String[] {"value1", "value2"},
      null);

Hint: if you want to LIMIT here you can add it to the ORDER BY clause:

String sortOrder = "somecolumn LIMIT 5";

or depending on the implementation of the ContentProvider add it as a parameter to the Uri:

Uri.parse("content://provider/table?limit=5");
// or better via buildUpon()
Uri audio = MediaStore.Audio.Media.EXTERNAL_CONTENT_URI;
audio.buildUpon().appendQueryParameter("limit", "5");

In all cases ? will be replaced by the escaped version of what you put in the bind argument.

? + "hack'me" = 'hack''me'

More Related Contents:

  1. How do I use prepared statements in SQlite in Android?
  2. Best way to work with dates in Android SQLite [closed]
  3. How to split comma-separated value in SQLite?
  4. Android SQLite: Update Statement
  5. Could not allocate CursorWindow
  6. android, how to exec a sql file in sqlitedatabase
  7. sqlite insert into table select * from
  8. SQLite Foreign Key
  9. How to add multiple edit text and spinner data into SQLite database?
  10. Hindi font not displying correctly in android [closed]
  11. Unable to save and retrieve String data using Sqlite in android
  12. Why does the application crash when I press the button to insert the values in the table? [duplicate]
  13. Pros and Cons of SQLite and Shared Preferences [closed]
  14. Location of sqlite database on the device
  15. Android column ‘_id’ does not exist?
  16. How do I view the SQLite database on an Android device? [duplicate]
  17. How to ignore accent in SQLite query (Android)
  18. Deleting Row in SQLite in Android
  19. Store Android SQLite
  20. Why do I get a “sqlite3: not found” error on a rooted Nexus One when I try to open a database using the adb shell?
  21. Android sqlite how to check if a record exists
  22. Android Persistence room: “Cannot figure out how to read this field from a cursor”
  23. SQLite Exception no such column when trying to select
  24. android java.lang.IllegalStateException: Couldn’t read row 0, col 0 from CursorWindow
  25. How can I insert image in a sqlite database
  26. What is The use of moveToFirst () in SQLite Cursors
  27. How to check database on not rooted android device
  28. Compare dates (stored as string) in android sqlite database?
  29. H2 Database vs SQLite on Android [closed]
  30. Backup Room database

Leave a Comment