Android quotes within an sql query string

Question

I want to perform a query like the following:

uvalue = EditText( some user value );
p_query = \"select * from mytable where name_field = \'\" +  uvalue + \"\         


        

Answer 1

DatabaseUtils.sqlEscapeString worked properly for me. The string is enclosed by single quotes and the single quotes inside the string become double quotes. Tried using selectionArgs in the getContentResolver().query() but it didn't work at all.

Answer 2

I prefer to escape Single quotes and Double quotes in each insert statement with Sqlite like this:

 String sqlite_stament = sqlite_stament.replace("'", "''").replace("\"", "\"\"");

Answer 3

You should make use of the rawQuery method's selectionArgs parameter:

p_query = "select * from mytable where name_field = ?";
mDb.rawQuery(p_query, new String[] { uvalue });

This not only solves your quotes problem but also mitigates SQL Injection.

Answer 4

Have you tried replacing a single quote with 2 single quotes? That works for inputting data to a database.

Answer 5

I have same problem but now it is solved by just writing the code like in your case you want to insert value uvalue .Then write as

uvalue= EditText( some user value );
uvalue = uvalue.replaceAll("'", "''");
p_query = "select * from mytable where name_field = '" +  uvalue + "'" ;
mDb.rawQuery( p_query, null );

cool..!!

Answer 6

You should change

p_query = "select * from mytable where name_field = '" +  uvalue + "'" ;

like

p_query = "select * from mytable where name_field = '" + android.database.DatabaseUtils.sqlEscapeString(uvalue)+ "'" ;