9

我想使用准备好的语句来防止 Android SQLite 数据库上的 sql 注入。Like但是,当查询包含并使用时,rawquery 崩溃Where name = ? 有没有办法在 Android SQLite db 中使用 like 和 prepare 语句?

这是查询:

sqlQuery = "SELECT * FROM " + TABLE_CALLS + " where " + CALLER_NAME + " like ? COLLATE NOCASE or " + CALLER_NBR + " like ? or " + CALLER_EXT + " like ?" + " or " + IS_OUTGOING + " like ?  COLLATE NOCASE or " + TYPE + " like ? COLLATE NOCASE";

Cursor cursor = database.rawQuery(sqlQuery, new String[]{"%" + criterion + "%", "%" + criterion + "%","%" + criterion + "%","%" + criterion + "%","%" + criterion + "%"});

它给出了超出范围的绑定或列索引谢谢。

4

3 回答 3

21 
    if (name.length() != 0) {

        name = "%" + name + "%";
    }
    if (email.length() != 0) {
        email = "%" + email + "%";
    }
    if (Phone.length() != 0) {
        Phone = "%" + Phone + "%";
    }
    String selectQuery = " select * from tbl_Customer where Customer_Name like  '"
            + name
            + "' or Customer_Email like '"
            + email
            + "' or Customer_Phone like '"
            + Phone
            + "' ORDER BY Customer_Id DESC";

    Cursor cursor = mDb.rawQuery(selectQuery, null);`
于 2013-05-07T10:58:10.693 回答
7

尝试

Cursor cursor = database.rawQuery(sqlQuery, new String[]{"'%" + criterion + "%'", 
   "'%" + criterion + "%'",
   "'%" + criterion + "%'",
   "'%" + criterion + "%'",
   "'%" + criterion + "%'"});

您在前后都缺少“'”。

于 2013-05-07T11:04:04.030 回答
1

试试就好。。

String[] a = new String[5];
a[0]       = '%' + criterion + '%';
a[1]       = '%' + criterion + '%';
a[2]       = '%' + criterion + '%';
a[3]       = '%' + criterion + '%';
a[4]       = '%' + criterion + '%';
Cursor cursor = database.rawQuery(sqlQuery,a);
于 2013-05-07T10:51:25.560 回答