Warning: file_get_contents(/data/phpspider/zhask/data//catemap/3/android/192.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
避免androidsqlite中like查询中的SQL注入_Android_Sqlite - Fatal编程技术网
Fatal编程技术网
  • android/
  • 避免androidsqlite中like查询中的SQL注入

避免androidsqlite中like查询中的SQL注入

android sqlite

避免androidsqlite中like查询中的SQL注入,android,sqlite,Android,Sqlite,我尝试使用fallowing在我的SQLite数据库中创建一个搜索方法 Cursor cursor = sqLiteDatabase.rawQuery( "SELECT * FROM " + TableInformation.TABLE_NAME + " LEFT OUTER JOIN " + Favourite

我尝试使用fallowing在我的SQLite数据库中创建一个搜索方法

    Cursor cursor = sqLiteDatabase.rawQuery(
                "SELECT *  FROM "
                        + TableInformation.TABLE_NAME
                        + " LEFT OUTER JOIN "
                        + FavouritesItems.TableInformation.TABLE_NAME
                        + " ON "
                        + FavouritesItems.TableInformation.TABLE_NAME + "." + FavouritesItems.TableInformation.FAVOURITE_ITEM_ID
                        + " = "
                        + TableInformation.TABLE_NAME + "." + TableInformation.ITEM_ID
                        + " WHERE 1 = 1"
                        + (itemSearch.getItemDescription().length() > 0 ? " AND " + TableInformation.ITEM_DESCRIPTION + " LIKE %" + "?" + "% " : "")
                        + (itemSearch.getItemDescriptionEn().length() > 0 ? " AND " + TableInformation.ITEM_DESCRIPTION_EN + " LIKE '%" + "?" + "%' " : "")
                       , mySQLStatementStrings);
但是,当我编译时,它会抛出fallowing异常,因为编译器在like语句“?%”中找不到问号

    FATAL EXCEPTION: main
                                                                                 Process: com.shamisoft.myjewelaryshopproject, PID: 18398
                                                                                 java.lang.IllegalArgumentException: Cannot bind argument at index 1 because the index is out of range.  The statement has 0 parameters.
                                                                                     at android.database.sqlite.SQLiteProgram.bind(SQLiteProgram.java:212)
                                                                                     at android.database.sqlite.SQLiteProgram.bindString(SQLiteProgram.java:166)
                                                                                     at android.database.sqlite.SQLiteProgram.bindAllArgsAsStrings(SQLiteProgram.java:200)
                                                                                     at android.database.sqlite.SQLiteDirectCursorDriver.query(SQLiteDirectCursorDriver.java:47)
                                                                                     at android.database.sqlite.SQLiteDatabase.rawQueryWithFactory(SQLiteDatabase.java:1316)
                                                                                     at android.database.sqlite.SQLiteDatabase.rawQuery(SQLiteDatabase.java:1255)
                                                                                     at com.shamisoft.myjewelaryshopproject.classes.Items.getItemsSearch2(Items.java:705)
                                                                                     at com.shamisoft.myjewelaryshopproject.classes.SearchItemCustomDialog$1.onClick(SearchItemCustomDialog.java:103)
                                                                                     at android.view.View.performClick(View.java:4781)
                                                                                     at android.view.View$PerformClick.run(View.java:19874)
                                                                                     at android.os.Handler.handleCallback(Handler.java:739)
                                                                                     at android.os.Handler.dispatchMessage(Handler.java:95)
                                                                                     at android.os.Looper.loop(Looper.java:135)
                                                                                     at android.app.ActivityThread.main(ActivityThread.java:5254)
                                                                                     at java.lang.reflect.Method.invoke(Native Method)
                                                                                     at java.lang.reflect.Method.invoke(Method.java:372)
                                                                                     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:902)
                                                                                     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:697)
问题是在这种情况下如何避免SQL注入

在字符串中,
只是一个普通字符

要用作参数的字符串值在SQL中作为单独的字符串值结束。如果需要,可以将If与其他字符串组合:

... WHERE ...
      AND (Description    LIKE '%' || ? || '%' OR
           Description_EN LIKE '%' || ? || '%')
您必须添加一个
来显示添加参数的位置。你通过了一个参数,但没有地方添加这些参数,因此它抛出了一个例外?mark在like word(itemSearch.getitemsdescription().length()>0?)和“+TableInformation.ITEM_DESCRIPTION+”like%“+”?“+”%:”)之后,现在我意识到这不是问题所在。问题在于SQL查询的格式不正确
>0?
不是一个好的SQL查询(或者是一个有效的SQL查询)。SQL语句运行良好,但只有当用户在编辑文本中写入“尝试从查询中删除%并将其放入MySQLStatementStrings”时,问题才会出现。多年来,我一直在定期搜索此问题的答案,但从未找到答案。一旦你指出答案,这是有道理的,但我从来没有这样想过。非常感谢。