开发者

Does the Android SQLite implementation sanitize input via the SQLiteDatabase.insert() method?

开发者 https://www.devze.com 2023-01-24 16:51 出处:网络
The SQLiteDataBase.insert(String, String, ContentValues) convenience method takes a ContentValues object which contains all of the column values of a row to be inserted 开发者_JS百科into the database.

The SQLiteDataBase.insert(String, String, ContentValues) convenience method takes a ContentValues object which contains all of the column values of a row to be inserted 开发者_JS百科into the database. If I use the ContentValues.put() methods to build a ContentValues object to insert into the database, does either put() or insert() sanitize the input or do I have to do that myself?


Yes, this will protect you from injection. You can see in the source that insertWithOnConflict (which is called by insert) correctly uses ? place-holders in a SQLiteStatement.


%W will sanitize it with double quotes, but how much sanitation are you wanting?

0

精彩评论

暂无评论...
验证码 换一张
取 消