0

I am developing an app in which suggestive list is displayed as I start typing in SearchView. Everything is going well but as I type in SearchView the App just crashes.

 public Cursor searchByBrandText(String inputTextBrand) throws SQLException {
            db = this.getReadableDatabase();
            String where = inputTextBrand;
            String extra = "'%" + where + "%'";
            String query = "SELECT Brand_Name" + " from " + "Sample" + " where "
                    + "Brand_Name" + " LIKE " + extra;

            Cursor mCursor = db.rawQuery(query, null);

            if (mCursor.getCount() <= 0) {
                mCursor.close();
                return null;
            } else {
                return mCursor;
            }
        }
Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
Anil Kumar Jha
  • 98
  • 8

2 Answers2

1

' is the SQL string delimiter.
You have to double it, if you need to insert a value containing that character.
Like so:

String where = inputTextBrand.replace("'", "''");

Or, better, use bound parameters (in this case there's no need to double the ').
Like so:

String query = "SELECT Brand_Name FROM Sample WHERE Brand_Name LIKE ?";
Cursor mCursor = db.rawQuery(query, new String[]{"%" + inputTextBrand + "%"});
Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
0

The single quotation mark is messing up your sql query, this is reasonably serious because as it is somebody could use your text box to carry out an SQL Injection Attack on your database.

The method of dealing with this has been answered here: Android Quotes within an SQL query string

Community
  • 1
  • 1
hughs
  • 91
  • 3