4

The SQLiteDataBase.insert(String, String, ContentValues) convenience method takes a ContentValues object which contains all of the column values of a row to be inserted into the database. If I use the ContentValues.put() methods to build a ContentValues object to insert into the database, does either put() or insert() sanitize the input or do I have to do that myself?

Improve this question
1
  • 1
    Sorry about the bung hyperlinking but it always works in the preview and never in the real post for me... Commented Nov 13, 2010 at 2:44

2 Answers 2

Reset to default
6

Yes, this will protect you from injection. You can see in the source that insertWithOnConflict (which is called by insert) correctly uses ? place-holders in a SQLiteStatement.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That link appears to be broken, the page says "Unknown identifier: "android/database/sqlite/SQLiteDatabase.java". Falling back to search"
0

%W will sanitize it with double quotes, but how much sanitation are you wanting?

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.