19

can anybody tell How to escape or replace not supported character like single quotes in sqlite in android can anybody give example

Thanks

Vikas Patidar
  • 42,865
  • 22
  • 93
  • 106
mohan
  • 13,035
  • 29
  • 108
  • 178

3 Answers3

41

You can utilize the commons-lang utility or you can use a regexp to handle it.

If you're building dynamic SQL, what I would suggest is trying to use a prepared statement which would eliminate the need for escaping single quotes.

Using just a dynamic SQL built using string concatenation:

String value = "one's self";
StringBuilder query= new StringBuilder();
query.append("insert into tname(foo) values (").append(value).append(")");
... execute call with query.toString() ...

Change that to

String value = "one's self";
value= DatabaseUtils.sqlEscapeString(value);
StringBuilder query= new StringBuilder();
query.append("insert into tname(foo) values (").append(value).append(")");
... execute call with query.toString() ...

Ideally, use a prepared statement

String value = "one's self";
StringBuilder query= StringBuilder();
query.append("insert into tname(foo) values (?)");
SQLiteStatement stmt= db.compileStatement(query.toString());
stmt.bindString(1, value);
long rowId= stmt.executeInsert();
// do logic check for > -1 on success

This way you don't run into "SQL injection attacks".

Refer to http://developer.android.com/reference/android/database/sqlite/SQLiteStatement.html for more information.

EDIT I did a little more digging, you can use DatabaseUtils.sqlEscapeString(String) to escape the content of a string so that it is valid for a complete SQL statement with no prepares.

Dave G
  • 9,639
  • 36
  • 41
  • Hi dave my values are coming dynamically – mohan Mar 25 '11 at 12:44
  • 2
    @mohan definitely look at the answer that I posted above specifically with the DatabaseUtils.sqlEscapeString(String) method. That will "sanitize" your input allowing you to concatenate the value into the string. I will edit my answer to cover a dynamic value. – Dave G Mar 25 '11 at 12:55
  • Thanks for the `DatabaseUtils.sqlEscapeString()`, that solution works great ! – Someone Somewhere Mar 31 '13 at 23:59
  • 2
    Best answer out there, `DatabaseUtils.sqlEscapeString()` takes care of everything for you. But keep in mind that it will also add "'" before and after, so if you manually constructed your query be sure to remove them, because the method will added them also and you will end up with double "'" that will make your query invalid. Thank you @DaveG for the solution! – Ionut Negru Feb 24 '14 at 09:19
  • `DatabaseUtils.sqlEscapeString()` - by far the best way indeed – Richard Le Mesurier Nov 22 '14 at 20:01
  • Can `DatabaseUtils.sqlEscapeString()` be used anywhere? For instance, if I need to sanitize the name of a table, or the type of a column? – Michael Aug 15 '15 at 22:30
  • @Michael I'm trying to understand your question - the utility will take a string that you *may* be concatenating to make a SQL value out of. I don't know if it would apply in the particular use case you are asking about – Dave G Aug 18 '15 at 12:59
0

Actually, the simpliest way is to replace single quotes (') with two-single quotes (''). Your query will then become:

insert into tname(foo) values ('one''s self');

Explanation: SQLite advocates the use of single quotes (') instead of double quotes (") as string delimiters, claiming that this is what the SQL standard requires (I was unable to confirm this). SQLite also differs from all other SQL databases I know, in that it uses '' instead of \' , again, claiming SQL standards. (Again, I was unable to confirm this claim).

Personally, I tend to disagree with that claim, since every other SQL database I know uses the C way of escaping chars, backslash. Even if it was written to use '' somewhere in ISO's SQL standard, I believe it might be best to revise that standard to use the C way, because in practice, it already is the standard anyway.

Please note that:

insert into tname(foo) values ('ones "self"');

is a valid sql statement by that logic, and requires no additional escaping.

Tuncay Göncüoğlu
  • 1,699
  • 17
  • 21
  • The SQL-92 standard specifies that single-quoted strings are and double-quoted strings are . If you trace through the spec, it doesn't say anywhere that can be used as . In fact, MSSQL doesn't accept double quoted strings where a character string literal is required. For example, SELECT * FROM CUSTOMER WHERE Name = "PapaSloth"; will cause an error in MSSQL. – PapaSloth Feb 28 '15 at 18:01
0

Aren't these done with a simple \? So, your single quote would be \'.

Bill Mote
  • 12,644
  • 7
  • 58
  • 82
  • 1
    If the user is concatenating a string they would need to double the ' to '' so if it were "insert into table (foo) values ('one's self')" would need to be changed to "insert into table (foo) values ('one''s self')" – Dave G Mar 25 '11 at 12:08
  • That\'s fine, but I don't see why that deserves a down vote. I was being sincere. – Bill Mote Mar 25 '11 at 19:21
  • 2
    The escapes you provided are not valid for SQL and don't mitigate the problem. – Dave G Mar 25 '11 at 19:22
  • 1
    SQLite does not support C-Style backslash \ escaping. It uses the pascal style ' -> '' escaping instead. – Tuncay Göncüoğlu Nov 27 '14 at 08:22