我正在使用
db.execSQL("INSERT INTO table SELECT NULL WHERE '1'=?;",new String[]{"1"});
db.execSQL("INSERT INTO robot_active_variables\n" +
"SELECT NULL, ravs._id,str,val\n" +
"FROM ( SELECT 'is_answer' AS str, ? AS val\n" +
"UNION ALL SELECT 'is_setting', ?\n" +
"UNION ALL SELECT 'is_val', ?\n" +
"UNION ALL SELECT 'is_group_actions', ?\n" +
"UNION ALL SELECT 'is_lone_action', ?\n" +
"UNION ALL SELECT '_id', ?\n" +
"UNION ALL SELECT 'val', ? ) v\n" +
"join robot_active_variables_super ravs on ravs._id not in (select _id_parent from robot_active_variables);",new String[]{"1", "0", "0", "0", "0", String.valueOf(idAnswer), "0"})
我想使用log.v输出sql插件。
1用String数组替换%s是什么意思,替换'?'的名称是什么?用String数组?我经常在c中注意到这个策略,但从来不知道它叫什么或如何谷歌。
2格式化程序或任何其他方法可以直接进行上述替换吗?
我尝试了什么:
v1: Log.v("custom log.v call " , sql + bindArgs));
but i had to copy paste every var into the "?"
v2: Log.v("custom log.v call " , String.format(sql.replaceAll("\\?","%s"),bindArgs));
but then some queries didn't work, it seems that numbers are converted to text, ie: 'select 1=?' with new String[]{"1"} will give false because it becomes 'select 1="1"'
v3: Log.v("custom log.v call " , String.format(sql.replaceAll("\\?","\"%s\""),bindArgs));
works quite well
答案 0 :(得分:1)
v2: Log.v("custom log.v call " , String.format(sql.replaceAll("\\?","%s"),bindArgs));
但是后来有些查询无效,似乎数字会转换成文字,即:'选择1 =?'使用新的字符串[] {" 1"}会给出错误,因为它变为“选择1 =" 1"'
v3: Log.v("custom log.v call " , String.format(sql.replaceAll("\\?","\"%s\""),bindArgs));
效果很好
这些解决方案都可以。请注意,在第一个版本中,您仍应在执行查询时使用原始字符串,而不是格式化的字符串。如您所述,查询的格式化版本会将所有类型转换为String。这将允许SQL引擎使用正确的类型并正确引用以避免SQL注入。