I am trying to retrieve data from 7 tables and needs to join them to retrieve data , and I am trying to implement Content Provider for this project. I got lots of sample to follow for a single table execution using content provider, but can't get a strong sample to follow for the join case. And in advance I need to pass a string parameter to query for joining table on the base of that string parameter.
for sample I was trying with two tables with not much of luck to pass parameter
case JOIN_FOR_ALL_EVENT_TABLE:
//it is used to get Id but I need a string parameter to pass
//it here, and I don't know how can I achieve that.
//This works for only case of id not the String.
// And the event_id in my case is a string needs to have - symbol
//on it.
_id = ContentUris.parseId(uri);
Log.e("************* args ",_id + "");
retCursor = db.rawQuery(
"SELECT * " +
"from " +
"event_info" + " LEFT JOIN "
+ "wild_animal_info" + " ON "
+ "event_info.event_id"
+ " = " + "wild_animal_info.event_id"+" WHERE "+"event_info.event_id"+" ="+ args[0] ,null);
break;
default:
And the dbHelper looks like this for join
/**
* Method to get all data using join
*/
public void getAllDataFromEventId(String eventId){
Cursor cursor = myCR.query(ContentUris.withAppendedId(
TigerContract.CONTENT_URI_RELATIONSHIP_JOIN, id),null,null,null,null);
if(cursor.moveToFirst()){
Log.v("***********","size of crsor "+cursor.getCount());
cursor.moveToFirst();
Log.v("********NEW ",cursor.getString(1));
Log.v("********NEW ",cursor.getString(2));
Log.v("********NEW ",cursor.getString(4));
Log.v("********NEW ",cursor.getString(5));
}else{
cursor.close();
Log.v("*********New ","Didn't got anything there");
}
And all other thing I did in contract class for Join are
public static final String PATH_JOIN_FOR_ALL_EVENT_TALBE = "join_for_all_event_table";
public static final Uri CONTENT_URI_RELATIONSHIP_JOIN= BASE_CONTENT_URI.buildUpon().appendPath(PATH_JOIN_FOR_ALL_EVENT_TALBE).build();
public static final String CONTENT_TYPE_JOIN = "vnd.android.cursor.item/" + CONTENT_AUTHORITY +"/"+ PATH_JOIN_FOR_ALL_EVENT_TALBE;
So, I am waiting for a strong sample to follow on for join case in Content Provider. And thanks in advance for all the good people out there.
Related
Recently I got to know that raw query in android can not prevent SQL injection and thus I decided to convert all queries in Prepared statement which is SQL injection prevention. But I don't know how to convert complex queries in Prepared Statement.
I want to convert below queries:
1.
select
*
FROM
TableName
where
(tab1col1 in(SELECT tab2Col2 FROM MasterTable where tab2col1='Y')
or tab1col2 = CV.TRUE)
order by
tab1col3, tab1col4, tab1col5,tab1col6
2.
Select
* ,count(*) as TOTAL_COUNT ,
SUM(CASE WHEN tabCol1 LIKE '%todayDate%' THEN 1 ELSE 0 END) as TOTAL_COL1_COUNT
from
TableName
group by tabCol2;
You can use rawQuery to prevent injection by passing any arguments via the selectionargs (2nd parameter).
SQL injection, wouldn't apply to either of the queries, as they are hard coded and have no user generated/supplied inputs.
e.g. your first query could be (assuming that, 'Y' and CV.TRUE are passed as parameters (i.e. user generated/supplied) for the sake of demonstration) :-
public Cursor query1raw(String indicator1,String indicator2) {
String sql = "SELECT * " +
" FROM TableName " +
" WHERE (tab1col1" +
" IN(" +
" SELECT tab2col2 " +
" FROM MasterTable " +
" WHERE tab2col1=?)" +
" OR tab1col2=?)" +
" ORDER BY tab1col3, tab1col4,tab1col5,tab1col6";
String[] args = new String[]{indicator1,indicator2};
return mDB.rawQuery(sql,args);
}
However, the convenience methods are generally recommended rather than rawQuery or execSQL when they can be used, again using bound strings via arguments, the above, using the query convenience method could be :-
public Cursor query1(String indicator1, String indicator2) {
String whereclause = "(tab1col1 IN(SELECT tab2col2 FROM MasterTable WHERE tab2col1=?) OR tab1col2=?)";
String[] whereargs = new String[] {indicator1,indicator2};
String order_columns = "tab1col3,tab1col4,tab1col5,tab1col6";
return mDB.query("TableName",null,whereclause,whereargs,null,null,order_columns);
}
You wouldn't use prepared statements themselves as they are restricted to returning single values, not a row or rows with multiple columns.
Warning not advised
However, you could, if you really wanted, use :-
public Cursor query1ps(String indicator1,String indicator2) {
String[] whereargs = new String[] {indicator1,indicator2};
SQLiteStatement stmnt = mDB.compileStatement("SELECT * " +
" FROM TableName " +
" WHERE (tab1col1" +
" IN(" +
" SELECT tab2col2 " +
" FROM MasterTable " +
" WHERE tab2col1=?)" +
" OR tab1col2=?)" +
" ORDER BY tab1col3, tab1col4,tab1col5,tab1col6");
stmnt.bindAllArgsAsStrings(whereargs);
Log.d("PREPAREDSQL",stmnt.toString());
String sql = stmnt.toString().replace("SQLiteProgram:","");
return mDB.rawQuery(sql,null);
}
As you can see all the prepared statement is doing as such, is substituting the arguments, so has little benefit over the other methods. This would also be dependant upon SQLIteProgram: remaining constant.
The only way to prevent SQL injections is to use parameters. (In some PHP APIs, the only way to get parameters is to use prepared statements, but that is not one of the warts in the Android database API.)
Just write ? for any string, and pass the values separately:
String name = ...;
String password = ...;
cursor = db.rawQuery("SELECT SomeCol FROM Users WHERE Name = ? AND Password = ?",
new String[]{ name, password });
Please not that SQL injection could happen only if you have string values that are controlled by the (potentially-hostile) user. Your queries above do not look as if this were the case.
I reference this link android developer training to implement for the retrieving contact detail with selection criteria
/*
* Defines the selection clause. Search for a lookup key
* and the Email MIME type
*/
private static final String SELECTION =
Data.LOOKUP_KEY + " = ?" +
" AND " +
Data.MIMETYPE + " = " +
"'" + Email.CONTENT_ITEM_TYPE + "'";
#Override
public Loader<Cursor> onCreateLoader(int loaderId, Bundle args) {
// Choose the proper action
switch (loaderId) {
case DETAILS_QUERY_ID:
// Assigns the selection parameter
mSelectionArgs[0] = mLookupKey;
// Starts the query
CursorLoader mLoader =
new CursorLoader(
getActivity(),
Data.CONTENT_URI,
PROJECTION,
SELECTION,
mSelectionArgs,
SORT_ORDER
);
...
}
When goes into change the contact name for example. Then in one case when adding contact is made by our application, cursor loader can't correctly detect the changes. I check the lookup key, that added contact key is different with others (for example : Orod-1340xxxxxxxx).
After searching the discussion, lookup key may change and suggest to use contact lookup uri with the lookup key. But the lookup uri cannot be used in above query. I need to query in Data table for the detail info.
How can i achieve that?
Thanks a lot.
Try using CONTACT_ID instead of LOOKUP_KEY.
private static final String SELECTION =
Data.CONTACT_ID + " = ? AND " +
Data.MIMETYPE + " = '" + Email.CONTENT_ITEM_TYPE + "'";
You might stumble upon warnings not to use contact-ids and instead use lookup keys or lookup uris, but that's for persisting a contact reference into a database for long keeping, if you're app is currently up and running, and just recently queried for this contact-id, it's perfectly safe and ok to use it, it's even better to use contact-ids for this purpose since it's more stable as a standalone id.
See more info here and here
update: looking at "vnd.android.cursor.dir/vnd.google.note" and "vnd.android.cursor.item/vnd.google.note" it seemed to me as though the cursor was for one table.
From the examples it appears as though content provider were designed to work with one table. I do know how to use multiple tables in sqlite but it seems to me that the content provider seems to be about picking one row or multiple rows from one table.
see http://developer.android.com/guide/topics/providers/content-provider-creating.html
Also, see the notepad sample in adt-bundle-windows-x86-20131030\sdk\samples\android-19\legacy\NotePad\src\com\example\android\notepad
Suppose I want to have notes by topic.
I would like to have a Topics table with columns _id and Title_text.
I would like to have the Notes table with columns _id and foreign key Topic_id and Note_text.
How would one design the Topics and Notes?
But looking at the Notes sample, the content URIs and docs on content providers, it appears as though having multiple related tables is an afterthought and is not obvious to me.
from NotepadProvider.java, Notepad.java:
public static final String CONTENT_TYPE = "vnd.android.cursor.dir/vnd.google.note";
/**
* The MIME type of a {#link #CONTENT_URI} sub-directory of a single
* note.
*/
public static final String CONTENT_ITEM_TYPE = "vnd.android.cursor.item/vnd.google.note";
public static final Uri CONTENT_ID_URI_BASE
= Uri.parse(SCHEME + AUTHORITY + PATH_NOTE_ID);
/**
* The content URI match pattern for a single note, specified by its ID. Use this to match
* incoming URIs or to construct an Intent.
*/
public static final Uri CONTENT_ID_URI_PATTERN
= Uri.parse(SCHEME + AUTHORITY + PATH_NOTE_ID + "/#");
#Override
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs,
String sortOrder) {
...
switch (sUriMatcher.match(uri)) {
// If the incoming URI is for notes, chooses the Notes projection
case NOTES:
qb.setProjectionMap(sNotesProjectionMap);
break;
/* If the incoming URI is for a single note identified by its ID, chooses the
* note ID projection, and appends "_ID = <noteID>" to the where clause, so that
* it selects that single note
*/
case NOTE_ID:
qb.setProjectionMap(sNotesProjectionMap);
qb.appendWhere(
NotePad.Notes._ID + // the name of the ID column
"=" +
// the position of the note ID itself in the incoming URI
uri.getPathSegments().get(NotePad.Notes.NOTE_ID_PATH_POSITION));
break;
When creating a ContentProvider, the expectation is that other apps are going to use your database, and with that I mean other people who know nothing about your database scheme. To make things easy for them, you create and document your URIs:
To access all the books
content://org.example.bookprovider/books
to access books by id
content://org.example.bookprovider/books/#
to access books by author name
content://org.example.bookprovider/books/author
Create as many URIs as you need, that’s up to you. This way the user of your Provider can very easily access your database info, and maybe that’s why you are getting the impression that the Provider is designed to work with one table databases, but no, internally is where the work is done.
In your ContentProvider subclass, you can use a UriMatcher to identify those different URIs that are going to be passed to your ContentProvider methods (query, insert, update, delete). If the data the Uri is requesting is stored in several tables, you can actually do the JOINs and GROUP BYs or whatever you need with SQLiteQueryBuilder , e.g.
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
SQLiteQueryBuilder mQueryBuilder = new SQLiteQueryBuilder();
. . .
String Joins = " t1 INNER JOIN table2 t2 ON t2._id = t1._id"
+ " INNER JOIN table3 t3 ON t3._id = t1._id";
switch (mUriMatcher.match(uri)) {
case DATA_COLLECTION_URI:
mQueryBuilder.setTables(YourDataContract.TABLE1_NAME + Joins);
mQueryBuilder.setProjectionMap(. . .);
break;
case SINGLE_DATA_URI:
mQueryBuilder.setTables(YourDataContract.TABLE1_NAME + Joins);
mQueryBuilder.setProjectionMap(. . .);
mQueryBuilder.appendWhere(Table1._ID + "=" + uri.getPathSegments().get(1));
break;
case . . .
default:
throw new IllegalArgumentException("Unknown URI " + uri);
}
. . .
SQLiteDatabase db = mOpenHelper.getReadableDatabase();
Cursor c = mQueryBuilder.query(db, projection, selection, selectionArgs, groupBy, having, orderBy);
return c;
}
Hope it helps.
Excuse me, but I don't understand your question.
ContentProvider is designed (a one of it's aims)to wrap access to your tabels. Design of database schema is up to you.
Generally, you need to:
Define your tables/ It should be made by execution of sql command in class which extends SQLiteOpenHelper
Define an uri for them
Define a logic for queries to this tables as it was made for NOTE_ID
Update
For JOIN operations SQLiteQueryBuilder is usually used. In setTables() you need to write names of tables with JOIN clause, e.g.
.setTables(NoteColumns.TABLENAME +
" LEFT OUTER JOIN " + TopicColumns.TABLENAME + " ON " +
NoteColumns.ID + " = " + TopicColumns.ID);
Here is my code for multiple table query in content provider with projectionMap
//HashMap for Projection
mGroupImageUri = new HashMap<>();
mGroupImageUri.put(RosterConstants.JID,RosterProvider.TABLE_ROSTER+"."+RosterConstants.JID);
mGroupImageUri.put(RosterConstants.USER_NAME,RosterProvider.TABLE_ROSTER+"."+RosterConstants.USER_NAME);
mGroupImageUri.put(ChatConstants.MESSAGE,"c."+ChatConstants.MESSAGE+ " AS "+ ChatConstants.MESSAGE);
mGroupImageUri.put(ChatConstants.SENDER,"c."+ChatConstants.SENDER+" AS "+ChatConstants.SENDER);
mGroupImageUri.put(ChatConstants.URL_LOCAL,"c."+ChatConstants.URL_LOCAL+" AS "+ChatConstants.URL_LOCAL);
//case for content type of uri
case IMAGE_URI:
qBuilder.setTables(RosterProvider.TABLE_ROSTER
+ " LEFT OUTER JOIN "+ TABLE_NAME + " c"
+ " ON c."+ ChatConstants.JID + "=" + RosterProvider.TABLE_ROSTER + "."+RosterConstants.JID);
qBuilder.setProjectionMap(mGroupImageUri);
break;
//ContentResolver query for Projection form, selection and selection args
String[] PROJECTION_FROM = new String[]{
RosterConstants.JID,
RosterConstants.USER_NAME,
ChatConstants.MESSAGE,
ChatConstants.SENDER,
ChatConstants.URL_LOCAL
};
String selection = RosterProvider.TABLE_ROSTER +"."+RosterConstants.JID+ "='" + jid + "' AND " + "c."+ChatConstants.FILE_TYPE+"="+ChatConstants.IMAGE;
String[] selectionArgu = null;
String order = "c."+ChatConstants.MESSAGE+" ASC";
Cursor cursor = mContentReolver.query(ChatProvider.CONTENT_URI_GROUP_IMAGE_URI,
PROJECTION_FROM,selection, null,order);
//#ChatProvider.CONTENT_URI_GROUP_IMAGE_URI = 'your content type uri'
//#TABLE_NAME = 'table1'
//#RosterProvider.TABLE_ROSTER ='table2'
I have a question regarding best practice for implementing complex queries with content providers. As I see from the android contact content provider it is recommended to use the fields selection, selectionArgs etc to make specific requests.
I am right now in the process of shaping my first own content provider. It has quite a complex beast behind with all the joins, full text tables etc constructs of a database with normalised tables. Of course I want to hide this complexity from the user of the content provider yet I just dont know yet how to implement this. If the user specifies his request with selection, selectionArgs etc it seems the content provider has to parse these and map it too the underlying structure. Are there some tools for this parsing or will I end up writing my own selection string parser etc.
I am afraid this is the way to go but before implementing it I would like to hear some advice from the android professionals around about it.
Thanks a lot
martin
Here comes where I am right now, at least some kind of solution I want to quickly share for inspiring expert feedback and maybe give some hint for other bloody newbies around. My basic mistake in the beginning as it seems now was not to introduce a "virtual" database like layer which the content provider offers to his users. Once this is done the complexity behind is hidden and the normal syntax of queries can be used.
So what I did is having a "virtual" database layer in the content provider contract class,
public class JustDharmaQuotesContract {
public class Quote {
public static final String TABLE_NAME = QuoteTable.TABLE_NAME;
public static final String _ID = TABLE_NAME + "." + QuoteTable._ID;
public static final String AUTHOR = TABLE_NAME + "." + QuoteTable.AUTHOR;
public static final String AUTHOR_FULL_NAME = TABLE_NAME + "." + QuoteTable.AUTHOR_FULL_NAME;
public static final String TITLE = TABLE_NAME + "." + QuoteTable.TITLE;
public static final String QUOTE = TABLE_NAME + "." + QuoteTable.QUOTE;
public static final String QUOTE_LENGTH = TABLE_NAME + "." + QuoteTable.QUOTE_LENGTH;
public static final String BLOG_POST_LINK = TABLE_NAME + "." + QuoteTable.BLOG_POST_LINK;
}
public class QuoteFTS {
public static final String TABLE_NAME = QuoteFtsTable.TABLE_NAME;
public static final String _ID = TABLE_NAME + "." + QuoteFtsTable._ID;
public static final String TITLE = TABLE_NAME + "." + QuoteFtsTable.TITLE;
public static final String QUOTE = TABLE_NAME + "." + QuoteFtsTable.QUOTE;
public static final String SNIPPET = "snippet";
public static final String AUTHOR = Quote.TABLE_NAME + "." + QuoteTable.AUTHOR;
public static final String AUTHOR_FULL_NAME = Quote.TABLE_NAME + "." + QuoteTable.AUTHOR_FULL_NAME;
public static final String QUOTE_LENGTH = Quote.TABLE_NAME + "." + QuoteTable.QUOTE_LENGTH;
public static final String BLOG_POST_LINK = Quote.TABLE_NAME + "." + QuoteTable.BLOG_POST_LINK;
}
}
with the Quote layer basically mapping one to one to the QuoteTable of the database and the QuoteFTS layer representing the join between FTS table and the Quote table. (the snippet column for the respective fts snippet result) Here I use the the same column names as the database column names so that the projections and selections of the user fits to the database. (including the table names so that the join works well)
The user of the content provider can now do all kind of queries on this two virtual database layers provided, for example
Uri uri = QuoteContentProvider.FTS_URI;
switch (order) {
case 1: {
sortOrder = QuoteFTS.TITLE + " COLLATE NOCASE";
break;
}
case 2: {
sortOrder = QuoteFTS.AUTHOR + ", " + QuoteFTS.TITLE
+ " COLLATE NOCASE";
break;
}
case 3: {
sortOrder = QuoteFTS.QUOTE_LENGTH;
break;
}
}
String[] projection = new String[] { QuoteFTS._ID,
QuoteFTS.TITLE, QuoteFTS.AUTHOR, QuoteFTS.SNIPPET};
String selection = titleOnly ? QuoteFTS.TITLE + " MATCH ? " : QuoteFTS.TABLE_NAME + " MATCH ? ";
String[] selectionArgs = {appendWildcard(query)};
Loader<Cursor> loader = CursorLoader(this, uri, projection,selection, selectionArgs, sortOrder);
It is still necessary to have proper knowledge of how to use the MATCH syntax etc to get this to work. This point makes me feel a bit uncomfortable and I would highly appreciate feedback on this.
Thanks buddies
martin
Background
I have an Android project that has a database with two tables: tbl_question and tbl_alternative.
To populate the views with questions and alternatives I am using cursors. There are no problems in getting the data I need until I try to join the two tables.
Tbl_question
-------------
_id
question
categoryid
Tbl_alternative
---------------
_id
questionid
categoryid
alternative
I want something like the following:
SELECT tbl_question.question, tbl_alternative.alternative where
categoryid=tbl_alternative.categoryid AND tbl_question._id =
tbl_alternative.questionid.`
This is my attempt:
public Cursor getAlternative(long categoryid) {
String[] columns = new String[] { KEY_Q_ID, KEY_IMAGE, KEY_QUESTION, KEY_ALT, KEY_QID};
String whereClause = KEY_CATEGORYID + "=" + categoryid +" AND "+ KEY_Q_ID +"="+ KEY_QID;
Cursor cursor = mDb.query(true, DBTABLE_QUESTION + " INNER JOIN "+ DBTABLE_ALTERNATIVE, columns, whereClause, null, null, null, null, null);
if (cursor != null) {
cursor.moveToFirst();
}
return cursor;
I find this way to form queries harder than regular SQL, but have gotten the advice to use this way since it is less error prone.
Question
How do I join two SQLite tables in my application?
You need rawQuery method.
Example:
private final String MY_QUERY = "SELECT * FROM table_a a INNER JOIN table_b b ON a.id=b.other_id WHERE b.property_id=?";
db.rawQuery(MY_QUERY, new String[]{String.valueOf(propertyId)});
Use ? bindings instead of putting values into raw sql query.
An alternate way is to construct a view which is then queried just like a table.
In many database managers using a view can result in better performance.
CREATE VIEW xyz SELECT q.question, a.alternative
FROM tbl_question AS q, tbl_alternative AS a
WHERE q.categoryid = a.categoryid
AND q._id = a.questionid;
This is from memory so there may be some syntactic issues.
http://www.sqlite.org/lang_createview.html
I mention this approach because then you can use SQLiteQueryBuilder with the view as you implied that it was preferred.
In addition to #pawelzieba's answer, which definitely is correct, to join two tables, while you can use an INNER JOIN like this
SELECT * FROM expense INNER JOIN refuel
ON exp_id = expense_id
WHERE refuel_id = 1
via raw query like this -
String rawQuery = "SELECT * FROM " + RefuelTable.TABLE_NAME + " INNER JOIN " + ExpenseTable.TABLE_NAME
+ " ON " + RefuelTable.EXP_ID + " = " + ExpenseTable.ID
+ " WHERE " + RefuelTable.ID + " = " + id;
Cursor c = db.rawQuery(
rawQuery,
null
);
because of SQLite's backward compatible support of the primitive way of querying, we turn that command into this -
SELECT *
FROM expense, refuel
WHERE exp_id = expense_id AND refuel_id = 1
and hence be able to take advanatage of the SQLiteDatabase.query() helper method
Cursor c = db.query(
RefuelTable.TABLE_NAME + " , " + ExpenseTable.TABLE_NAME,
Utils.concat(RefuelTable.PROJECTION, ExpenseTable.PROJECTION),
RefuelTable.EXP_ID + " = " + ExpenseTable.ID + " AND " + RefuelTable.ID + " = " + id,
null,
null,
null,
null
);
For a detailed blog post check this
http://blog.championswimmer.in/2015/12/doing-a-table-join-in-android-without-using-rawquery
"Ambiguous column" usually means that the same column name appears in at least two tables; the database engine can't tell which one you want. Use full table names or table aliases to remove the ambiguity.
Here's an example I happened to have in my editor. It's from someone else's problem, but should make sense anyway.
select P.*
from product_has_image P
inner join highest_priority_images H
on (H.id_product = P.id_product and H.priority = p.priority)