How to use persian variable in sqlite in android?

Question

I create table in android sqlite. My table is category:

db.execSQL("CREATE TABLE IF NOT EXISTS category (id_category INTEGER PRIMARY KEY AUTOINCREMENT,sub INT(5),name VARCHAR ,father INT(5), income_bool INT(1));");

now i create a variable:

String a="بنزین"

I Insert a row Successfully(with Persian name) and show it in listview;

> But when i select i have errors: String ROW3 = "SELECT * FROM category
> WHERE name=" + a; 
>Cursor cursor = db.rawQuery(ROW3, null);
>cursor.moveToFirst();
>Log.d("ghable vorod be for", "sa");
>for (cursor.moveToFirst(); !cursor.isAfterLast(); cursor.moveToNext())
        {
            Log.d("ghable vorod be for1", "sa");
            cat_id=(cursor.getColumnIndex("id_category"));
            Log.d("ghable vorod be for2", "sa");
        }

but i have this errors in logcat:

sqlite returned: error code = 1, msg = no such column: بنزین

Shutting down VM

thread exiting with uncaught exception (group=0x40015560) E/AndroidRuntime(28713): FATAL EXCEPTION: main

android.database.sqlite.SQLiteException: no such column: بنزین: , while compiling: SELECT * FROM category WHERE name=بنزین

09-30 15:28:17.358: E/AndroidRuntime(28713): at android.database.sqlite.SQLiteCompiledSql.native_compile(Native Method) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.database.sqlite.SQLiteCompiledSql.compile(SQLiteCompiledSql.java:92) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.database.sqlite.SQLiteCompiledSql.(SQLiteCompiledSql.java:65) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.database.sqlite.SQLiteProgram.(SQLiteProgram.java:83) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.database.sqlite.SQLiteQuery.(SQLiteQuery.java:49) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.database.sqlite.SQLiteDirectCursorDriver.query(SQLiteDirectCursorDriver.java:42) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.database.sqlite.SQLiteDatabase.rawQueryWithFactory(SQLiteDatabase.java:1356) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.database.sqlite.SQLiteDatabase.rawQuery(SQLiteDatabase.java:1324) 09-30 15:28:17.358: E/AndroidRuntime(28713): at com.example.hesabdar.New_income.onClick(New_income.java:174) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.view.View.performClick(View.java:2485) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.view.View$PerformClick.run(View.java:9080) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.os.Handler.handleCallback(Handler.java:587) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.os.Handler.dispatchMessage(Handler.java:92) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.os.Looper.loop(Looper.java:123) 09-30 15:28:17.358: E/AndroidRuntime(28713): at android.app.ActivityThread.main(ActivityThread.java:3683) 09-30 15:28:17.358: E/AndroidRuntime(28713): at java.lang.reflect.Method.invokeNative(Native Method) 09-30 15:28:17.358: E/AndroidRuntime(28713): at java.lang.reflect.Method.invoke(Method.java:507) 09-30 15:28:17.358: E/AndroidRuntime(28713): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:839) 09-30 15:28:17.358: E/AndroidRuntime(28713): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:597) 09-30 15:28:17.358: E/AndroidRuntime(28713): at dalvik.system.NativeStart.main(Native Method) 09-30 15:33:17.468: I/Process(28713): Sending signal. PID: 28713 SIG: 9

Answer 1

You shouldn't include the value directly in your SQL at all. Instead, use parameterized SQL, such as:

Cursor cursor = db.rawQuery("SELECT * FROM category WHERE name=?",
                            new String[] { a });

That way:

• You don't need to worry about how non-ASCII should be represented
• You don't need to worry about escaping the data to avoid SQL injection attacks
• Your SQL is easier to read, without all the string concatenation

(In normal JDBC you could set parameters for other data types than String, avoiding conversion issues too - looks like that's not quite available here, but it's a common benefit of parameterized SQL.)

Answer 2

For normal string value insertion in database we have a method which appends ' character at start and end and all the occurence of ' character is replace by ''.

public String FormatDBString(String StringToFormat)
{           
   if (StringToFormat == null || StringToFormat.equals(""))
    {
        return "'"+ "" + "'";
    }
    else
        return "'" + StringToFormat.replace("'", "''") + "'";
}

and then you can use this function as

String ROW3 = "SELECT * FROM category WHERE name= " + FormatDBString(a)

This function provides usability as we have to write so many SQL and chances of mistakes, SQL injection etc are minimized too.