Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

preferred way to update sqlite db in android

Which way to use db.update is faster and better in android? ie: construct the entire where clause string along with where clause variable values OR make use of the 4th parameter for update by passing where clause variable values as a string array?

Does passing where clause variable values as a new string array protect against sql injection attacks?

  public boolean UpdateChannelSortKey(Channel c)
  {
        ContentValues cv = new ContentValues();
        cv.put("SortKey", c.SortKey);
        return this.db.update("Channels", cv, "ChannelID = ?", new String[]{String.valueOf(c.ChannelID)}) > 0;
  }

OR

public boolean UpdateChannelSortKey(Channel c)
  {
        ContentValues cv = new ContentValues();
        cv.put("SortKey", c.SortKey);
        return this.db.update("Channels", cv, "ChannelID = " + c.ChannelID, null) > 0;
  }
like image 667
Raj Avatar asked Feb 24 '23 22:02

Raj


1 Answers

The first way is preferable, because:

1) Yes, it protects against sql-injection attacks.

2) It is better to always use the prepared statements - not in android only, so you will obtain a good habit.

3) IMHO, it has higher readability.

like image 134
Vladimir Ivanov Avatar answered Feb 27 '23 11:02

Vladimir Ivanov