0
public  void deleteData(String name,int itemID){

    SQLiteDatabase db=getWritableDatabase();
    String query="DELETE FROM "+ TABLE_NAME + " WHERE "+ "'"+ COL1 +"'"+ " = "+ itemID + " AND "+ "'" + COL2 + "'" +" ="+ " '"+ name + "'";
   db.execSQL(query);

    db.execSQL(query);
}
sticky bit
  • 36,626
  • 12
  • 31
  • 42
shalini jha
  • 1
  • 1
    Possible dup of https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work – user3486184 Mar 29 '19 at 20:10
  • Possible duplicate of [Deleting Row in SQLite in Android](https://stackoverflow.com/questions/7510219/deleting-row-in-sqlite-in-android) – Mihai Mar 29 '19 at 20:10
  • Single quotes in SQL are used to enclose string literals. It seems like you enclose the names of your columns in single quotes making them string literals and therefore nothing matches. – sticky bit Mar 29 '19 at 20:27
  • You should bind values to parameters in your query instead of trying to include them directly in a string. – Shawn Mar 29 '19 at 21:06

1 Answers1

0

The following are wrong or could be considered as wrong.

  1. There should be no need to call the exact same query twice.

  2. It is considered better to use the Android SDK's convenience methods when they suit (instead of using the execSQL method the delete method is more appropriate).

  3. There is the potential for SQLinjection attacks when parameters are used directly in strings that are executed directly as SQL (note resolving 2 and using the appropriate parameters resolves this issue).

  4. There is, unless the columns are named with invalid names, no need to enclose column names in single quotes or alternative characters (invalid names can make life difficult so if used they would be considered wrong by many).

  5. If the delete (the first one), is not working or if the delete appears to not return an appropriate result after using pragma count_changes that could be due to the row not existing (did the row get inserted?) or that the 2nd query which would delete nothing is hiding the result of the first query.

    1. pragma count_changes is deprecated in later version of SQLite so should no longer be used (albeit that Android's SQlite version is typically some way behind).

As a fix to all bar the id not existing you could use the following :-

public  int deleteData(String name,int itemID){

    SQLiteDatabase db=getWritableDatabase();
    String whereclause = COL1 + "=? AND " + COL2 + "=?";
    String[] whereargs = new String[]{String.valueOf(int),name};
    return db.delete(TABLE_NAME,whereclause,whereargs);
}
  • Note that the methods signature results in an int being returned, this will be the number of rows deleted.
MikeT
  • 51,415
  • 16
  • 49
  • 68