"go through this?". You mean, you'd rather go through the process of constructing SQL by hand, including handing all the quoting rules?
How about "It makes your code smaller, easier to read, and more easily inspected for correctness"? This is a bit of basic SQL usage best practice that unfortunately all too many people ignore. It's of sufficient value and importance that, were I in an environment which LACKED this sort of parameterization -- I would implement it before proceeding further. If you are dynamically constructing a SQL query yourself, you are ALMOST certainly doing something wrong. There are exceptions, but any time you find yourself doing string concatenation to produce a SQL query, it's worth stopping and seeing if you can use parameters, or avoid the problem with modifications to the schema. The VAST majority of cases I've found in other people's code, or in writing my own, have been avoidable. And in the cases where it's not been avoidable -- constructed join or filter criteria, for example -- the actual data is still ALWAYS supplied via a parameter, without exception. There would be no such thing as a SQL injection hack were this rule followed consistently. On Dec 21, 11:46 am, Tobiah <[email protected]> wrote: > On 12/21/2010 11:38 AM, Mark Murphy wrote: > > > String[] args={"somebaldingguy"}; > > rawQuery("SELECT _id, title FROM books WHERE author=?", args); > > > The string array elements replace the question mark placeholders. > > SQLite handles quotation rules for strings for you, so you do not have > > to worry about embedded quotes or apostrophes. > > Oh I see, so that would eliminate any worries of say, sql injection > attack right off? Is there any other reason that one would go > through this? Any performance gain, etc? > > Thanks, > > Tobiah -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
