String[] whereArgs also present in update function of SQLiteDatabase class, what does it depicts?? I've read the documentation but not getting it,Please help. Thanks in Advance !!
Asked
Active
Viewed 2,067 times
2 Answers
9
As the documentation says, it's used for ? markers in your query string. For example, you might use this:
SQLiteDatabase.delete("users", "user_name = ?", new String[] {"Talib"});
The use of parameter markers is very important for avoiding SQL injection. For example,
SQLiteDatabase.delete("users", "user_name = ?", new String[] {"' OR '' = '"});
will not delete all rows of your table, but if you naively did
SQLiteDatabase.delete("users", "user_name = '" + userName + "'");
and userName was set to "' OR '' = '", that would indeed nuke your whole table.
C. K. Young
- 219,335
- 46
- 382
- 435
4
If your whereClause is of the form somecolumn=?, the first element out of whereArgs will be used to replace the ?. These are called positional parameters. The advantage of using positional parameters is that SQLite will handle quoting the string, escaping any embedded quotes, etc.
CommonsWare
- 986,068
- 189
- 2,389
- 2,491