Android SQLiteDatabase query语句
来源:互联网 发布:天猫魔盒好用软件 编辑:程序博客网 时间:2024/06/05 14:49
tableColumns
null
for all columns as inSELECT * FROM ...
new String[] { "column1", "column2", ... }
for specific columns as inSELECT column1, column2 FROM ...
- you can also put complex expressions here:new String[] { "(SELECT max(column1) FROM table1) AS max" }
would give you a column namedmax
holding the max value ofcolumn1
whereClause
- the part you put after
WHERE
without that keyword, e.g."column1 > 5"
- should include
?
for things that are dynamic, e.g."column1=?"
-> seewhereArgs
whereArgs
- specify the content that fills each
?
inwhereClause
in the order they appear
the others
- just like
whereClause
the statement after the keyword ornull
if you don't use it.
Example
String[] tableColumns = new String[] { "column1", "(SELECT max(column1) FROM table2) AS max"};String whereClause = "column1 = ? OR column1 = ?";String[] whereArgs = new String[] { "value1", "value2"};String orderBy = "column1";Cursor c = sqLiteDatabase.query("table1", tableColumns, whereClause, whereArgs, null, null, orderBy);// since we have a named column we can doint idx = c.getColumnIndex("max");
is equivalent to the following raw query
String queryString = "SELECT column1, (SELECT max(column1) FROM table1) AS max FROM table1 " + "WHERE column1 = ? OR column1 = ? ORDER BY column1";sqLiteDatabase.rawQuery(queryString, whereArgs);
By using the Where/Bind -Args version you get automatically escaped values and you don't have to worry if input-data contains '
.
Unsafe: String whereClause = "column1='" + value + "'";
Safe: String whereClause = "column1=?";
because if value contains a '
your statement either breaks and you get exceptions or does unintended things, for example value = "XYZ'; DROP TABLE table1;--"
might even drop your table since the statement would become two statements and a comment:
SELECT * FROM table1 where column1='XYZ'; DROP TABLE table1;--'
using the args version XYZ'; DROP TABLE table1;--
would be escaped to 'XYZ''; DROP TABLE table1;--'
and would only be treated as a value. Even if the '
is not intended to do bad things it is still quite common that people have it in their names or use it in texts, filenames, passwords etc. So always use the args version. (It is okay to build int
and other primitives directly into whereClause
though)
- Android SQLiteDatabase query语句
- Android---SQLITEDATABASE中QUERY、INSERT、UPDATE、DELETE方法参数说明
- SQLIteDatabase.query method
- SQLiteDataBase对象的query()
- Android-SQLitedatabase
- Android SQLiteDatabase
- Android SQLiteDatabase
- sqlitedatabase query CursorIndexOutOfBoundsException问题解决办法
- SQLiteDatabase中query、ins…
- SQLiteDataBase对象的query()接口:
- Android初学者之SQLiteDatabase中query、insert、update、delete方法参数说明
- Android学习笔记九:SQLiteDatabase中query、insert、update、delete方法参数说明
- Android中关于SQLiteDataBase的query()方法参数详解,, limit ? offset? 分页用法
- 《Android学习笔记》SQLiteDatabase中query、insert、update、delete方法参数说明
- SQLiteDataBase中query与rawQuery的区别
- SQLiteDatabase query 和 rawQuery 的区别
- SQLiteDatabase.query()各个参数的意义
- Android:SQLiteOpenHelper,SqliteDatabase学习
- 面试题(2)——求子数组最大和
- Oracle需注意的几个参数
- gridview72变
- SVN
- c++primer 笔记(一)
- Android SQLiteDatabase query语句
- 常量变量的复习
- 多态的一个简单例子
- hdu 1498
- KL距离,Kullback-Leibler Divergence
- 判断文件编码是否为UTF
- 面试题之SQL
- 开博前言
- 关于内部类的例子