What are the not suggested characters the user can include in a table name?
I give the user the opportunity to create tables in my app, but I want to prevent force closes deriving from including bad characters in the table name.
What are these characters? Any how can I include them in an array?
e.g. List<String> usable_chars = Arrays.asList(";", "'", "/");
but it gives me an error for "\" and """, what is the right syntaxis for these in a list?
Thanks
In java you will need to escape certain characters.
See "Escape Sequences"
http://docs.oracle.com/javase/tutorial/java/data/characters.html
Related
what i am trying to use is that i want to select cities from my LocationByCity table in sqlite database each time As user inters search word in a search box,
for example if user enters F i want all the CityNames Starting From F ,so how can i do that?
Thanx in advance.
I'd have to check up, but I believe you want to use the LIKE keyword.
Syntax somthing along the lines of:
Select Fieldname From Tablename where fieldname LIKE ('%$myvar%');
where the % signs are wildcard characters.
Not sure if sqlite has fulltext indexing so you should be aware that can get very slow depending on how many rows you have in the table.
I am having some problems with special characters in my scenario.
I have a sqlite db created using fts3.
When I use SELECT col_1, col_2, offsets(table) FROM table WHERE table MATCH 'h*' LIMIT 50;
I am able to get words which start with h.
but when I am using
SELECT col_1, col_2, offsets(table) FROM table WHERE table MATCH '#*' LIMIT 50;
I am not getting strings which start with #.
Where am I going wrong? Any pointer regarding approach would be great.
I think the behavior you described happens because SQLite FTS3 uses tokenizer called "simple" by default. The character # gets discarded because is not an alphanumeric character and its UTF codepoint is not greater than 127. My interpretation of this is that FTS is not for searching special characters, it is for searching natural text.
The fix I suggest is not to use FTS for this kind of queries but to use LIKE operator. Or you could try to search for other tokenizers available or write your on in C.
I need to search a particular name from ma contacts... for that i gave the selection criteria like this
ContactsContract.Contacts.DISPLAY_NAME + " LIKE '"+constraint+"%'"
But for apostrophe(')... means ...when i gave apostrophe as constraint an (SQL error )exception is thrown.. for all other special characters , the search is working..
How can we handle constraint apostrophe(')... in search criteria.. boz we can have contact names having apostrophe in it (Eg: Jennifer'lo'pe_z)
How do I use a string literal that contains an embedded single-quote (') character?
The SQL standard specifies that single-quotes in strings are escaped by putting two single quotes in a row. SQL works like the Pascal programming language in the regard. SQLite follows this standard.
Example:
INSERT INTO xyz VALUES('5 O''clock');
SO, simply for your solution, use '' at the place of '. like
if(constraint.contains("'"))
constraint = constraint.replace("'", "''");
And then execute your query. This must help you.
Happy coding :)
I'm making an Android app and I have used an SQLite database. But I found out if you type characters like single quotes ('), (also for using as the primary key) the data won't be saved/retrieved correctly.
Is it a problem with me or is it true? If its true are there any more characters like that?
Thanks.
#bdares and #mu Thanks for the tips, but can you please tell me how to use placeholders and/or prepared statements in SQLite?
I have always used direct String concatenation before but now, as it appears that's a bad practice, I would like to use prepared statements and/or placeholders.
Possibly you'll have problems with characters like ASCII STOP and such non-printing characters, but if you use prepared statements and parameter binding, you won't have any trouble even with characters like '.
If you don't want to use parameter binding and prepared statements, you can replace all of your input ' with \' and you'll be fine.
SQL typically uses ' as its special character to tell when a string literal starts or stops. If your input has this character, it will stop treating the current line as a string and start treating it as commands. This is not a good thing, security wise. It also keeps you from inputting that character unless you "escape" it by placing a backslash in front of it, which tells SQL to ignore the ' and continue treating the following characters as a string until an unescaped ' is met. Of course, backslash literals are also escaped as double-backslashes.
Prepared statements typically look like this:
String sql = "INSERT INTO MYTABLE (NAME, EMP_NO, DATE_HIRED) VALUES (?, ?, ?)";
PreparedStatement ps = sqlite.prepareStatement(sql);
ps.setString(1, myString);
ps.setInt(2, myInt);
ps.setDate(3, myDate);
ps.executeUpdate();
Unfortunately, I don't know exactly what library you'd be using to access sqlite from Android, so I can't give you more details at this time.
SQLite statements use quotes -- single or double -- for strings. If you need to INSERT a string with (') for example, you can use double quotes (") to wrap the string:
INSERT INTO my_table (some_column) VALUES("'a string'");
Or the other way around:
INSERT INTO my_table (some_column) VALUES('"a string"');
(Of course, you will need to escape any (") in your Java code.)
An alternative is to use a SQLiteStatment (Prepared statement) and bindString()
As for the "characters allowed", SQLite internally stores strings (type TEXT) as UTF-8 or UTF-16. Android's build uses the default of UTF-8. Therefor, you can store any string you like.
SQLite supports the data types TEXT (similar to String in Java), INTEGER (similar to long in Java) and REAL (similar to double in Java). All other types must be converted into on of these fields before saving them in the database. SQLight itself does not validate if the types written to the columns are actually of the defined type, you can write an integer into a string column.
Is it possible to create a table name with escape sequences ?
like TableName:exampl's
I have EditText and it's entry like that and want to create a table for it ,and there is no restriction for the edittext.
Yes, it is possible. Or at least sqlite3 itself does not forbid this.
The following example would create the table tbl'1
create table "tbl'1"(one varchar(10), two smallint);
But.
There are several reasons why you should not do that:
Naming tables after user input is simply not acceptable. (http://xkcd.com/327/)
I assume that you are using a database wrapper and you do not directly access the sqlite3 file. If yes, than this solution may fail eventually.
If you have a valid database model, there will be no need to create tables dynamically. Insert rows for new data instead. There you can use as much escape characters as you want.