1. 首页
  2. 问答
  3. SQLite中的语法错误(插入语句)

SQLite中的语法错误(插入语句)

2016-02-27 66 views
-3

我正在使用Android的SQLite存储选项来存储书籍的一些引用。该表已创建,但在执行Insert语句时会发生错误。SQLite中的语法错误(插入语句)

这里的查询字符串:

writeableDatabase.execSQL("INSERT INTO " + BookSave.TABLE_NAME + 
           " VALUES(" + book.getTitle().toString() + 
           "," + book.getAuthor().toString() + "," 
           + book.getPathOfCover().toString() + ");");

这里的logcat的:

near "Devices": syntax error 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime: FATAL EXCEPTION: Thread-2698 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime: Process: dreamnyc.myapplication, PID: 23973 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime: android.database.sqlite.SQLiteException: near "Devices": syntax error (code 1): , while compiling: INSERT INTO book VALUES(Electronic Devices & Circuits,Jacob Millman & Christos C. Halkias,/storage/emulated/0/Android/data/dreamnyc.myapplication/files/MillmanHalkias-ElectronicDevicesCircuits/OEBPS/images/leaf-image0000.jpg); 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at android.database.sqlite.SQLiteConnection.nativePrepareStatement(Native Method) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at android.database.sqlite.SQLiteConnection.acquirePreparedStatement(SQLiteConnection.java:891) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at android.database.sqlite.SQLiteConnection.prepare(SQLiteConnection.java:502) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at android.database.sqlite.SQLiteSession.prepare(SQLiteSession.java:588) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at android.database.sqlite.SQLiteProgram.<init>(SQLiteProgram.java:58) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at android.database.sqlite.SQLiteStatement.<init>(SQLiteStatement.java:31) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at android.database.sqlite.SQLiteDatabase.executeSql(SQLiteDatabase.java:1674) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at android.database.sqlite.SQLiteDatabase.execSQL(SQLiteDatabase.java:1605) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at dreamnyc.myapplication.MainActivity$2.run(MainActivity.java:189) 
02-27 19:21:04.555 23973-24058/dreamnyc.myapplication E/AndroidRuntime:  at java.lang.Thread.run(Thread.java:818)

来源

2016-02-27 Abhishek Soni

+2

为了避免SQL注入使用参数绑定。无论如何,你的查询没有字符串字面值。 'INSERT INTO book VALUES(Electronic Devices&Circuits,Jacob Millman&Christos C. Halkias,/ storage/emulated/0/Android/data/dreamnyc.myapplication/files/MillmanHalkias-ElectronicDevicesCircuits/OEBPS/images/leaf-image0000.jpg' – lad2025

+0

我该怎么做?参数绑定是什么意思? –

+2

** [如何在Android中使用SQlite中的预准备语句](http://stackoverflow.com/questions/433392/how-doi-i-使用准备好的语句在SQLite中在Android)** – lad2025

回答

1

问题是你需要周围的值的报价,如果他们是varchar类型:

writeableDatabase.execSQL("INSERT INTO " + BookSave.TABLE_NAME + 
           " VALUES('" + book.getTitle().toString() +"'," 
           +"'"+ book.getAuthor().toString() + "'," 
           +"'"+ book.getPathOfCover().toString() + "');");

真正的问题是你应该使用参数化查询来避免这些类型的错误,但也要预防t sql注入。

例如:

ContentValues values = new ContentValues(); 
values.put(KEY_TITLE, book.getTitle().toString()); 
values.put(KEY_AUTHOR, book.getAuthor().toString()); 
values.put(KEY_PATH_COVER, book.getPathOfCover().toString()); 
writeableDatabase.insert(TABLE_NAME, null, values);

KEY_是列名作为字符串

来源

2016-02-27 14:02:06 meda

相关问题

 相关问题