在 android 中我使用以下语句。
model = dataHelper.rawQuery("SELECT _id, engword, lower(engword) as letter FROM word WHERE letter >= 'a' AND letter < '{' AND engword LIKE '%" + filterText + "%'", new String[ {"_id","engword", "lower(engword) as letter"});
它正在抛出android.database.sqlite.SQLiteException: bind or column index out of range: handle 0x132330
我的代码有什么问题?
【问题讨论】:
正确的说法是:
model = dataHelper.rawQuery("
SELECT _id, engword, lower(engword) as letter
FROM word W
HERE letter >= 'a'
AND letter < '{'
AND engword LIKE ? ORDER BY engword ASC
",
new String[] {"%" + filterText + "%"}
);
【讨论】:
您提供了 3 个参数,但您的查询中没有 ?。将 null 而不是字符串数组作为rawQuery 的第二个参数传递给rawQuery,或者将您选择的字符串中的_id、engword 和lower(engword) as letter 替换为?
1)
model = dataHelper.rawQuery("SELECT ?, ?, ? FROM word WHERE letter >= 'a' AND letter < '{' AND engword LIKE '%" + filterText + "%'",new String[] {"_id","engword", "lower(engword) as letter"});
2)
model = dataHelper.rawQuery("SELECT _id, engword, lower(engword) as letter FROM word WHERE letter >= 'a' AND letter < '{' AND engword LIKE '%" + filterText + "%'", null);
编辑: 正如@Ewoks 指出的那样,选项(1)是不正确的,因为准备好的语句只能在 WHERE 子句中获取参数(?s)。
【讨论】:
如果有人像我一样尝试(但失败)与getContentResolver().query 一起工作,我是如何管理它的:
*感谢 @CL 和 @Wolfram Rittmeyer 的 cmets 更新,因为他们说这与 rawQuery *
正确方法:
public static String SELECTION_LIKE_EMP_NAME = Columns.EMPLOYEE_NAME
+ " like ?";
Cursor c = context.getContentResolver().query(contentUri,
PROJECTION, SELECTION_LIKE_EMP_NAME, new String[] { "%" + query + "%" }, null);
之前对 SQL 注入攻击开放的答案:
public static String SELECTION_LIKE_EMP_NAME = Columns.EMPLOYEE_NAME
+ " like '%?%'";
String selection = SELECTION_LIKE_EMP_NAME.replace("?", query);
Cursor c = context.getContentResolver().query(contentUri,
PROJECTION, selection, null, null);
【讨论】:
sensorId 放入selectionArgs。
selectionArgs,但它不起作用。
selectionArgs。 Android 会小心地将它们转换为安全的字符串。