Android SQLite INSERT

Question

I am using execSQL on SQLite database. The sql INSERT strnig is

INSERT INTO Tasks 
(_id, Aircraft, Station, Discrepancy,DateCreated, CreatedBy, Status, DateClosed, ClosedBy, ArrivalFlightID, RecordChangedByUI)  
 VALUES 
('271104','   ','ORD','Critical Flight (0496/28)','9/4/2011 6:57:00 PM','SYSTEM','NEW','','null','0','N')

Table is

"create table Tasks 
(_id integer primary key, "
+ "Aircraft text null, Station text null, Discrepancy text null, DateCreated text null, CreatedBy text null, Status text null, DateClosed text, ClosedBy text null, ArrivalFlightID text null, RecordChangedByUI text null);";

It's throwing an exception "Empty bindArgs"

Can anybody tell me where I am going wrong ?

Answer 1

You can not pass null as second parameter. If you're not using it, just ignore it and it will work:

String sql = "INSERT INTO Tasks (_id, Aircraft, Station, Discrepancy,DateCreated, CreatedBy, Status, DateClosed, ClosedBy, ArrivalFlightID, RecordChangedByUI) " VALUES ('" + tasks[i]._id + "','" + tasks[i].Aircraft + "','" + tasks[i].Station + "','" + tasks[i].Discrepancy + "','" + tasks[i].DateCreated + "','" + tasks[i].CreatedBy + "','" + tasks[i].Status + "','" + tasks[i].DateClosed + "','" + tasks[i].ClosedBy + "','" + tasks[i].ArrivalFlightID + "','N')"; 
this.database.execSQL(sql); 

However, the above example is vulnerable - SQL query can be easily injected. All strings passed to the query should be escaped via DatabaseUtils.sqlEscapeString(task[i].something).

Answer 2

Try executing database.insert or insertOrThrow. It requires the explicit adding of each field to a ContentValues object, but it is so much neater.

ContentValues insertValues = new ContentValues();
insertValues.put("_id", tasks[i]._id);
... // other fields
long rowId = this.database.insert(DATABASE_TABLE, null, insertValues);