分享程序员开发的那些事...
更新时间:2023-12-01 21:36:40
在SQL中,字符串必须加引号。
然而,为了避免这样的格式问题(和SQL注入攻击),使用参数来代替:
光标C = db.rawQuery(SELECT * FROM+ TABLE_PROFILE +
WHERE+ KEY_USER_EMAIL +=?,
新的String [] {用户名});
I am trying to get some data from user profile, but it doesn't find the column. I already check space between every query and it seems nothing wrong. Till now i can't see the problem, any idea? Thanks before Here is my code and error message
Table Name
private static final String TABLE_PROFILE = "users";
private static final String TABLE_STATUS = "status";
Users Column Names
//Users column names
private static final String KEY_USER_ID = "user_id";
private static final String KEY_USER_IMG = "picture";
private static final String KEY_USER_EMAIL = "email";
private static final String KEY_USER_NAME = "name";
private static final String KEY_USER_PASSWORD = "password";
private static final String KEY_USER_PHONE = "phone";
Status Column Names
//Status column names
private static final String KEY_STATUS_ID = "status_id";
private static final String KEY_STATUS = "status";
Table Create Statement
//Users table create statement
private static final String CREATE_TABLE_PROFILE = "CREATE TABLE " + TABLE_PROFILE +
"(" + KEY_USER_ID + " INTEGER PRIMARY KEY," + KEY_USER_IMG + " BLOB," +
KEY_USER_EMAIL + " VARCHAR," + KEY_USER_NAME + " VARCHAR," + KEY_USER_PASSWORD + " VARCHAR,"
+ KEY_USER_PHONE + " VARCHAR," + KEY_CREATED_AT + " DATETIME," + KEY_STATUS_ID + " INTEGER,"
+ " FOREIGN KEY " + "(" + KEY_STATUS_ID + ")" + " REFERENCES " + TABLE_STATUS + "(" + KEY_STATUS_ID + ")" + ")";
getProfile method
public Profile getProfile(String username){
SQLiteDatabase db = this.getReadableDatabase();
String selectQuery = "SELECT * FROM " + TABLE_PROFILE + " WHERE " + KEY_USER_EMAIL + " = " + username;
Log.e(LOG, selectQuery);
Cursor c = db.rawQuery(selectQuery, null);
if(c!=null)
c.moveToFirst();
Profile pf = new Profile();
pf.setID(c.getInt(c.getColumnIndex(KEY_USER_ID)));
pf.setImg(c.getBlob(c.getColumnIndex(KEY_USER_IMG)));
pf.setEmail(c.getString(c.getColumnIndex(KEY_USER_EMAIL)));
pf.setName(c.getString(c.getColumnIndex(KEY_USER_NAME)));
pf.setPassword(c.getString(c.getColumnIndex(KEY_USER_PASSWORD)));
pf.setPhone(c.getString(c.getColumnIndex(KEY_USER_PHONE)));
pf.setCreatedAt(c.getString(c.getColumnIndex(KEY_CREATED_AT)));
return pf;
}
logcat message
12-18 02:50:32.616: E/DatabaseHelper(7093): SELECT * FROM users WHERE email = test1
12-18 02:50:32.616: E/SQLiteLog(7093): (1) no such column: test1
12-18 02:50:32.636: E/AndroidRuntime(7093): FATAL EXCEPTION: main
12-18 02:50:32.636: E/AndroidRuntime(7093): android.database.sqlite.SQLiteException: no such column: test1 (code 1): , while compiling: SELECT * FROM users WHERE email = test1
In SQL, string literals must be quoted.
However, to avoid formatting problems like this (and SQL injection attacks), use parameters instead:
Cursor c = db.rawQuery("SELECT * FROM " + TABLE_PROFILE +
" WHERE " + KEY_USER_EMAIL + " = ?",
new String[]{ username });