0

我正在通过以下方式使用游标从 Android 查询 SQLite

Cursor searchCusor = getCursorForSearchQuery(str);

其中 str 是一个字符串。此字符串可能包含单引号和双引号。因此,当光标尝试搜索时,它会引发异常

04-12 17:32:11.961: E/AndroidRuntime(2337): FATAL EXCEPTION: main
04-12 17:32:11.961: E/AndroidRuntime(2337): android.database.sqlite.SQLiteException: unrecognized token: "' AND latitude != 0 AND longitude != 0 ORDER BY title ASC": , while compiling: SELECT _id, title FROM node WHERE title LIKE '%'%' AND latitude != 0 AND longitude != 0 ORDER BY title ASC
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteCompiledSql.native_compile(Native Method)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteCompiledSql.compile(SQLiteCompiledSql.java:91)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteCompiledSql.<init>(SQLiteCompiledSql.java:64)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteProgram.<init>(SQLiteProgram.java:80)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteQuery.<init>(SQLiteQuery.java:46)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteDirectCursorDriver.query(SQLiteDirectCursorDriver.java:53)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteDatabase.rawQueryWithFactory(SQLiteDatabase.java:1412)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteDatabase.queryWithFactory(SQLiteDatabase.java:1296)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteDatabase.query(SQLiteDatabase.java:1251)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.database.sqlite.SQLiteDatabase.query(SQLiteDatabase.java:1331)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.mid.kew.apies.KewDatabaseHelper.getCursorForSearchMapPage(KewDatabaseHelper.java:285)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.mid.kew.activities.MapFragment.getCursorForSearchQuery(MapFragment.java:538)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.mid.kew.activities.MapFragment.access$12(MapFragment.java:537)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.mid.kew.activities.MapFragment$6.afterTextChanged(MapFragment.java:348)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.widget.TextView.sendAfterTextChanged(TextView.java:6271)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.widget.TextView$ChangeWatcher.afterTextChanged(TextView.java:6454)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.text.SpannableStringBuilder.sendTextHasChanged(SpannableStringBuilder.java:903)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.text.SpannableStringBuilder.change(SpannableStringBuilder.java:359)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.text.SpannableStringBuilder.change(SpannableStringBuilder.java:275)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:438)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:415)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:28)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.view.inputmethod.BaseInputConnection.replaceText(BaseInputConnection.java:583)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.view.inputmethod.BaseInputConnection.commitText(BaseInputConnection.java:174)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.android.internal.widget.EditableInputConnection.commitText(EditableInputConnection.java:120)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.android.internal.view.IInputConnectionWrapper.executeMessage(IInputConnectionWrapper.java:247)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.android.internal.view.IInputConnectionWrapper$MyHandler.handleMessage(IInputConnectionWrapper.java:73)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.os.Handler.dispatchMessage(Handler.java:99)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.os.Looper.loop(Looper.java:144)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at android.app.ActivityThread.main(ActivityThread.java:4937)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at java.lang.reflect.Method.invokeNative(Native Method)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at java.lang.reflect.Method.invoke(Method.java:521)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:868)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:626)
04-12 17:32:11.961: E/AndroidRuntime(2337):     at dalvik.system.NativeStart.main(Native Method)

我尝试如下替换单引号

str.replace("'", "\' ");

但这没有成功,并给出了同样的错误

4

2 回答 2

1

你还没有展示你的getCursorForSearchQuery方法做了什么,但我猜它只是直接在 SQL 中包含了值。不要那样做。使用带有 的参数化 SQL 查询PreparedStatement,一切都应该很好。您当前的错误不仅会消失,而且您还将关闭 SQL 注入攻击漏洞,并且您将能够更好地处理其他数据类型而不会出现转换问题。

于 2012-04-11T16:42:34.467 回答
0

我之前使用了以下语句

myDatabase.query("node", new String[]{"_id","title"}, "title LIKE \'%" + stringToSearch +"%\' AND latitude != 0 AND longitude != 0" ,null, null,null, "title ASC");

这造成了我提到的问题

所以我将查询修改为

myDb.query("node", new String[]{"_id","title"}, "title LIKE ? AND latitude != 0 AND longitude != 0" ,new String[]{"%"+stringToSearch+"%"}, null,null, "title ASC");

现在工作正常。

于 2012-04-12T09:32:41.563 回答