Which way to use db.update is faster and better in android? ie: construct the entire where clause string along with where clause variable values OR make use of the 4th parameter for update by passing where clause variable values as a string array?
Does passing where clause variable values as a new string array protect against sql injection attacks?
public boolean UpdateChannelSortKey(Channel c)
{
ContentValues cv = new ContentValues();
cv.put("SortKey", c.SortKey);
return this.db.update("Channels", cv, "ChannelID = ?", new String[]{String.valueOf(c.ChannelID)}) > 0;
}
OR
public boolean UpdateChannelSortKey(Channel c)
{
ContentValues cv = new ContentValues();
cv.put("SortKey", c.SortKey);
return this.db.update("Channels", cv, "ChannelID = " + c.ChannelID, null) > 0;
}
The first way is preferable, because:
1) Yes, it protects against sql-injection attacks.
2) It is better to always use the prepared statements - not in android only, so you will obtain a good habit.
3) IMHO, it has higher readability.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With