0

I'm currently trying to query my SQLite database using the following line of code:

public Cursor getExpenses(String username)
    {
        SQLiteDatabase db = this.getWritableDatabase();
        Cursor results = db.rawQuery("SELECT * FROM " + TABLE_EXPENSES + " WHERE username = " + username  , null);
        DatabaseUtils.dumpCursorToString(results);
        return results;
    }

The problem is the parameter username does not get passed into the query and instead I get returned all the data in TABLE_EXPENSES. If I leave out the quotes, I get no such column error. I was thinking of escaping the double quotes on username but apparently after some searching it seems like you can't escape the characters on SQLite? Hence, my question: How do I pass the parameter into the query.

Ziv Ofir
  • 103
  • 1
  • 12
  • `+ "username"` is a raw string, not the variable you passed in – OneCricketeer Jul 09 '18 at 02:39
  • From duplicate question... Use `whereArgs = new String[] { username }`. Don't put quotes around username – OneCricketeer Jul 09 '18 at 02:43
  • My bad, was actually messing around with the code and accidentally paste my current working version with the `+ "username"` part. Updated to show what I was actually trying to achieve. – Ziv Ofir Jul 09 '18 at 02:45
  • The code you have isn't wrong, but I suggest using `query` rather than `rawQuery` (lookup SQL injection). You should get `no such column` if you put quotes on the variable or not – OneCricketeer Jul 09 '18 at 02:52

0 Answers0