0

Considering whereArgs in functions like:

mDatabase.update(TABLE_NAME, values, whereClause, whereArgs)

I know it is used for "?"s in whereClause, but I have no idea why to invent this whereArgs instead of inserting the args into whereClause directly. Did not find any convenience by extracting the "?"s from whereClause to whereArgs. Could anyone give a good example that shows how useful is whereArgs? Appreciate it!

skyin
  • 558
  • 5
  • 18
  • 2
    a simple reason is to prevent **SQL injection** – SMR Jul 07 '14 at 08:59
  • @SMR there are other ways to prevent SQL injection, so this doesn't answer the question by itself (although maybe that's why you made it a comment and not an answer) – user253751 Jul 07 '14 at 09:00
  • @immibis if you know the exact reason the you are welcome to answer. :) – SMR Jul 07 '14 at 09:02
  • About how to use whereArgs take a look on related questions http://stackoverflow.com/questions/9631947/how-to-use-whereclause-whereargs-when-updating-a-table-in-sqlite and http://stackoverflow.com/questions/5373380/whereargs-sqlite-database-delete. – Mihai8 Jul 07 '14 at 09:03
  • @SMR Yah, should be a reason. I'm new in SQL and a bit misled by Android's reference -- "Convenience method for...". Didn't think it can be security reason. – skyin Jul 08 '14 at 03:03
  • @SMR When checking SQL injection, I also found it is called [**Prepared statement**](http://en.wikipedia.org/wiki/Prepared_statement). It states there is another advantage of increasing the efficiency of repeated similar statements. But I guess that's not the case in using Android functions like delete, insert, etc. right? – skyin Jul 08 '14 at 03:21
  • @immibis lol, seems I can only @ one person at a time. Would you mind have a check on above comment? – skyin Jul 08 '14 at 03:22

1 Answers1

1

As the documentation says, it's used for ? markers in your query string. For example, you might use this:

SQLiteDatabase.delete("users", "user_name = ?", new String[] {"Talib"});

The use of parameter markers is very important for avoiding SQL injection. For example,

SQLiteDatabase.delete("users", "user_name = ?", new String[] {"' OR '' = '"});

will not delete all rows of your table, but if you naively did

SQLiteDatabase.delete("users", "user_name = '" + userName + "'");

and userName was set to "' OR '' = '", that would indeed nuke your whole table.

From : https://stackoverflow.com/a/18304490/1239966

Community
  • 1
  • 1
Shivam Verma
  • 7,973
  • 3
  • 26
  • 34
  • Yah, correct. Didn't think about security reason. Thanks! When checking SQL injection, I also found it is called [**Prepared statement**](http://en.wikipedia.org/wiki/Prepared_statement). It states there is another advantage of increasing the efficiency of repeated similar statements. But I guess that's not the case in using Android functions like delete, insert, etc. right? – skyin Jul 08 '14 at 03:25
  • Thanks Shivam! Found it could be useful when using "transaction". https://wiki.appcelerator.org/display/guides2/Working+with+a+SQLite+Database#WorkingwithaSQLiteDatabase-Usetransactionstospeedbatchinserts – skyin Jul 08 '14 at 09:37