Exception while running Sqlite query!

Question

This is the error i get:

 **ERROR/Database(13775): Failure 1 (near "s": syntax error)**

while i try to execute the following query:

myDB.execSQL("INSERT INTO " + tableName + " (" + column[1] + "," + column[2] + "," + column[3] + "," + column[4] + ","
                                + column[5] + "," + column[6] + "," + column[7] + "," + column[8] + ",type ) VALUES('" + url + "','" + title + "','" + summary + "','" + imageUrl + "','" + completeStoryUrl + "','" + date + "','" + imageString + "','" + body + "','" + type + "')");

These values are being stored in Db by parsing an xml having RSS feeds like objects. few items are stored but on some i get this exception. Is there a problem of query of the data being sent to tha query..??? Any help is appreciated.

http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain — Nick, Jul 19 '11 at 10:41
You might need to escape the INSERT values - [this thread might help][1] [1]: http://stackoverflow.com/questions/5432063/how-to-escape-unsupported-character-in-sqlite-on-android — Michalis, Jul 19 '11 at 10:48

score 1 · Answer 1 · answered Jul 19 '11 at 10:44

1

You should never create a SQL command with string manipulation because there is the danger of a SQL injection. There are methods to safely format the command with parameter.

In Java there is for example the java.sql.PreparedStatement class.

Using such a conventional method should fix your syntax error, too.

answered Jul 19 '11 at 10:44

schlamar

8,550
3
35
71

2

Its on android. Java.sql.preparedstatement doesn't apply. Morever, this should be in the comment section..This is not an answer. – chedine Jul 19 '11 at 10:45
I cannot comment because of my rep. There are ways for a prepared statement on android, too (see http://stackoverflow.com/questions/433392/how-do-i-use-prepared-statements-in-sqlite-in-android). This was only an example. This is a really important note and should not be voted down! – schlamar Jul 19 '11 at 10:52
My bad. I didn't notice your rep.. Otherwise i wouldn't have downvoted. – chedine Jul 19 '11 at 11:13

score 0 · Accepted Answer · answered Jul 19 '11 at 11:23

Without seeing the actual query that is being executed, I would guess that one of the fields being inserted contains a " character, which is breaking the SQL statement.

for example imagine if the value of summary was

This string need"s to be escaped

As Michalis said, you need to escape the values being inserted ( replace any special characters )

If I were you, I would log the actual string query that is being executed. Then take a look in logcat at it and you should see why it is failing.

Exception while running Sqlite query!

2 Answers2