How is advised to use the contentResolver's delete method to be injection safe?

Asked 27/2, 2010 at 7:29 Answered 27/2, 2010 at 9:1

You can delete with content resolver by URI or by passing some parameters to the where parameter.

How do you make the parameters to be SQL Injection Safe?
Is it possible to use Prepared Statements with ContentResolver?

act.getContentResolver().delete(myuriwithid,null,null);

act.getContentResolver().delete(mybaseuri," name = '"+this.name"'",null);

Huntley answered 27/2, 2010 at 7:29 Comment(0)

Use positional parameters.

public final int delete (Uri url, String where, String[] selectionArgs)

e.g.

ContentResolver cr = ...;
String where = "nameid=?";
String[] args = new String[] { "george" };
cr.delete( Stuff.CONTENT_URI, where, args );

Tract answered 27/2, 2010 at 9:1 Comment(3)

I don't know. If you don't trust it, you can use SQLiteDatabase.execSQL( "delete .." ) and harden the query yourself. – Tract 28/2, 2010 at 3:12

By my tests it seems to be SQL injection safe, but I can't see it documented anywhere. – Brunner 21/3, 2014 at 11:28

I just found some useful info, look for "SQL injection" in this page: developer.android.com/training/contacts-provider/… – Brunner 27/3, 2014 at 18:7