SQL-escape a string. - Android Database

Android examples for Database:SQL Statement

  1. HOME
  2. Android
  3. Database
  4. SQL Statement

Description

SQL-escape a string.

Demo Code

/*/*from  w w w.  j  a v  a  2  s  .  c  o m*/
 * Copyright (C) 2006 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
import android.database.DatabaseUtils;

public class Main {
  /**
   * SQL-escape a string.
   */
  public static String sqlEscapeString(String value) {
    StringBuilder escaper = new StringBuilder();

    DatabaseUtils.appendEscapedSQLString(escaper, value);

    return escaper.toString();
  }

  /**
   * Appends an SQL string to the given StringBuilder, including the opening and
   * closing single quotes. Any single quotes internal to sqlString will be
   * escaped.
   *
   * This method is deprecated because we want to encourage everyone to use the
   * "?" binding form. However, when implementing a ContentProvider, one may
   * want to add WHERE clauses that were not provided by the caller. Since "?"
   * is a positional form, using it in this case could break the caller because
   * the indexes would be shifted to accomodate the ContentProvider's internal
   * bindings. In that case, it may be necessary to construct a WHERE clause
   * manually. This method is useful for those cases.
   *
   * @param sb
   *          the StringBuilder that the SQL string will be appended to
   * @param sqlString
   *          the raw string to be appended, which may contain single quotes
   */
  public static void appendEscapedSQLString(StringBuilder sb, String sqlString) {
    sb.append('\'');
    if (sqlString.indexOf('\'') != -1) {
      int length = sqlString.length();
      for (int i = 0; i < length; i++) {
        char c = sqlString.charAt(i);
        if (c == '\'') {
          sb.append('\'');
        }
        sb.append(c);
      }
    } else
      sb.append(sqlString);
    sb.append('\'');
  }
}

Related Tutorials