The SQLiteDataBase.insert(String, String, ContentValues) convenience method takes a ContentValues
object which contains all of the column values of a row to be inserted 开发者_JS百科into the database. If I use the ContentValues.put()
methods to build a ContentValues
object to insert into the database, does either put()
or insert()
sanitize the input or do I have to do that myself?
Yes, this will protect you from injection. You can see in the source that insertWithOnConflict
(which is called by insert
) correctly uses ?
place-holders in a SQLiteStatement
.
%W will sanitize it with double quotes, but how much sanitation are you wanting?
精彩评论