SQLite query with selection arguments

Question

I have the following SQLite query:

ArrayList<Long> idList = new ArrayList<>();

// adding Long values to idList

SQLiteDatabase db = getReadableDatabase();

final String whereClause = COLUMN_DEVICE_ID + " IN (?)";
final String[] whereArgs = new String[]{TextUtils.join(", ", idList)};

Cursor cursor = db.query(TABLE_DEVICES, null, whereClause, whereArgs,
    null, null, null);

Executing this query results in an empty Cursor.

It seems like the reason of the problem is the whereArgs String does not get inserted into the whereClause.

I debugged the code and noticed that the mQuery field of the Cursor is initialized to the following:

SELECT * FROM table_devices WHERE device_id IN (?)

Why is the ? not getting replaced with the whereArgs?

Thanks in advance.

what do you get when you execute TextUtils.join(", ", idList)? — user1506104, Oct 05 '16 at 09:57
similiar question and answer here http://stackoverflow.com/a/7419062/4665578 — Beeing Jk, Oct 05 '16 at 10:05

score 1 · Answer 1 · answered Oct 05 '16 at 10:05

Solved the problem with the following:

final String args = TextUtils.join(", ", ids);
final String whereClause = String.format(COLUMN_DEVICE_ID + " IN (%s)", args);

Cursor cursor = db.query(TABLE_DEVICES, null, whereClause,
    null, null, null, null);

Although i'm not sure how safe this is compared to the ? + whereArgs approach (regarding SQL injection).

SQLite query with selection arguments

1 Answers1