I have a function which is executing a query on a table in SQLite database. I declare a constant: public static final String CANADA_HISTORY = "Canada's History";. This is stored in a String variable let's say difficulty,
I have one query:
Cursor c = mDb.rawQuery("select * from Questions_answers where CHAPTERS = '"+difficulty+"'" , null);
It is throwing an exception near the apostrophe.
Logcat output:
I/Database( 1170): sqlite returned: error code = 1, msg = near "s": syntax error
D/AndroidRuntime( 1170): Shutting down VM
W/dalvikvm( 1170): threadid=1: thread exiting with uncaught exception (group=0x40015560)
E/AndroidRuntime( 1170): FATAL EXCEPTION: main
E/AndroidRuntime( 1170): android.database.sqlite.SQLiteException: near "s": syntax error: , while compiling: select * from Questions_answers where CHAPTERS = 'Canada's History'
I have also tried:
1. difficulty=difficulty.replaceAll("'","''");
2. difficulty=difficulty.replaceAll("'","\'");
3. difficulty = DatabaseUtils.sqlEscapeString(difficulty);
To add to that, it's working me for the single words like Canada History, I mean without the special character word.
Please give me advice for the solve problem Thanks.
First replace char with this
difficulty=difficulty.replaceAll("'","\\'");
then pass it in your query
"select * from Questions_answers where CHAPTERS='"+difficulty+"'";
Edit :
q = "select * from Questions_answers where CHAPTERS = ?";
database.rawQuery(q, new String[] { difficulty});
The SQL standard specifies that single-quotes in strings are escaped by putting two single quotes in a row. SQL works like the Pascal programming language in the regard. SQLite follows this standard. Example:
INSERT INTO xyz VALUES('5 O''clock');
Ref : SQLite FAQ
The best way is to use a native Android method designed for exactly this purpose:
DatabaseUtils.sqlEscapeString(String)
Here is the documentation for it online:
The main advantage of using this method, in my opinion, is the self-documentation because of the clear method name.
What worked for me was
if (columnvalue.contains("'")) {
columnvalue = columnvalue.replaceAll("'", "''");
}
you can try Cursor c = mDb.rawQuery("select * from Questions_answers where CHAPTERS = \""+difficulty+"\"" , null);
This will work the same:
if (columnValue.contains("'"))
columnValue = columnValue.replaceAll("'", "[']");
or
if (columnValue.contains("'"))
columnValue = columnValue.replaceAll("'", "\\\'");
but in actuality we use next symbols % and _
What DatabaseUtils.sqlEscapeString(s) essentially does, is replace all single quotes (') with two single quotes ('') and append one single quote at the beginning and one at the end of the String.
So if you just want to escape the String this function should work:
private static String escape(String s) {
return s != null ? s.replaceAll("\'", "\'\'") : null;
}
As per my understanding there are two approcaches,
String test= "Android's vaersion" test= test.replace("'","''");
This scenario is absolutely fine but i would definitely suggest to use following approach.
String test= "Android's vaersion" test= test.replaceAll("'","\'");
We faced the issue because of first approach when we were trying to update and select SQLite Table Value with '.
don't you need to escape the \ as well? so it would be replaceAll("'", "\\'") Or am I wrong about that?
来源:https://stackoverflow.com/questions/12615113/how-to-escape-special-characters-like-in-sqlite-in-android