here table want insert value:
" create table if not exists "+ciphercongfigtable + " ( databse_name **text** primary key not null,databse_key **text** not null);"; when want insert
string **configdbpassword**= "**x\'2dd29ca89\'**" through statement
"insert "+ciphercongfigtable+ " values("+databasename+","+**configdbpassword**+")" i getting exception:
unrecognized token: "\":
i need password in same format i.e. having escape charecter. there way it????
thanks
don't manually build insert (or other if can avoid it) queries on android (or other database wrapper long there predefined api want). opens application quoting problems 1 question , --at worst-- sql injection attacks outside of application.
for example, setting configdbpassword = "\"; drop table <tablename>; --" possibly wreak havoc on database long configdbpassword can entered user.
also, sqlite uses double quotes ("), backticks (`, borrowed mysql), or square brackets ([], borrowed ms sql) quote identifiers (e.g. column or table names spaces in them), string literals canonically quoted single (') quotes. sqlite quite liberal in allowing mix both quoting types, more readable use proper quoting style whereever appropriate. the documentation:
programmers cautioned not use 2 exceptions described in previous bullets. emphasize exist old , ill-formed sql statements run correctly. future versions of sqlite might raise errors instead of accepting malformed statements covered exceptions above.
as matter of fact, should avoid doing quoting whenever possible. inserting values, please instead use sqlitedatabase.insert() proper way of inserting values sqlitedatabase on android. proper quoting of arguments, too:
db.begintransaction(); try { final contentvalues values = new contentvalues(); values.put("databse_name", databasename); values.put("databse_key", configdbpassword); db.insert(ciphercongfigtable, null, values); db.settransactionsuccessful(); } { db.endtransaction(); } always quote sql parameters.
Comments
Post a Comment