SELECT WHERE sql query

Question

I'm trying to match username and password in existing database and I'm stuck at that point in writing SQL query.

Cursor cursor = db.rawQuery("Select " + dbh.name + dbh.pass
+ " from tablename where" +dbh.name +"="+ e1.getText().toString()+";", null);

This would lead to SQL injection. – Santosh Panda May 04 '13 at 07:38 — Santosh Panda, May 04 '13 at 07:38

score 1 · Accepted Answer · edited May 23 '17 at 12:04

You can do it using something as follows but is HIGHLY discouraged:

String selectQuery = "SELECT * FROM "+ TABLE_NAME +" WHERE "+COLUMN_USERNAME + " = '"+usrname+"' AND "+COLUMN_PASSWD+" = '"+passwd+"' "; 
//COLUMN_USERNAME is the column name which stores username COLUMN_PASSWD is column storing password
Cursor cursor = database.rawQuery(selectQuery, null);

You can try to use AccountManager class for the purpose. There are questions which deal with How to store username and passwords. You should checkout following threads:

1) Android: Storing username and password?

2) Is it safe to store username + passwords in a local SQLite db in Android?

Hope this helps.

score 0 · Answer 2 · answered May 04 '13 at 08:06

0

Edit your code to this:

Cursor cursor = db.rawQuery("Select " + dbh.name + dbh.pass
+ " from tablename where " +dbh.name +"='"+ e1.getText().toString()+"'", null);

answered May 04 '13 at 08:06

Daryn

770
9
19

score 0 · Answer 3 · answered May 04 '13 at 08:36

dbh.name + dbh.pass means what? is this both are different columns? if yes then you have to pass this both column name with comma like,

dbh.name +","+ dbh.pass

and fire select query like,

SELECT "+ dbh.name+","+dbh.pass +" FROM TABLE_NAME WHERE dbh.name=?", new String [] { e1.getText().toString() });

Hope this will solve your problem :)

SELECT WHERE sql query

3 Answers3