From 3dad108dbb93d8dd2b014614fbe6fe43ed5be948 Mon Sep 17 00:00:00 2001
From: shunf4 <shun1048576@gmail.com>
Date: Fri, 25 Oct 2019 12:51:34 +0800
Subject: [PATCH] fix: sql injection when updating fts

---
 .../java/org/houxg/leamonax/database/NoteDataStore.java   | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/src/main/java/org/houxg/leamonax/database/NoteDataStore.java b/app/src/main/java/org/houxg/leamonax/database/NoteDataStore.java
index 3ac9924..16a90c8 100644
--- a/app/src/main/java/org/houxg/leamonax/database/NoteDataStore.java
+++ b/app/src/main/java/org/houxg/leamonax/database/NoteDataStore.java
@@ -1,7 +1,9 @@
 package org.houxg.leamonax.database;
 
 
+import android.content.ContentValues;
 import android.database.Cursor;
+import android.database.sqlite.SQLiteDatabase;
 
 import com.raizlabs.android.dbflow.config.FlowManager;
 import com.raizlabs.android.dbflow.sql.language.Join;
@@ -40,8 +42,10 @@ public static List<Note> searchByTitle(String keyword) {
     public static void updateFTSNoteByLocalId(Long localId) {
         Note note = getByLocalId(localId);
         DatabaseWrapper databaseWrapper = FlowManager.getWritableDatabase(AppDataBase.class);
-        String query = "UPDATE fts_note SET content = '" + note.getContent() + "' where rowid = " + localId;
-        databaseWrapper.execSQL(query);
+        ContentValues args = new ContentValues();
+        args.put("content", note.getContent());
+        // String query = "UPDATE fts_note SET content = '" + note.getContent() + "' where rowid = " + localId;
+        databaseWrapper.updateWithOnConflict("fts_note", args, "rowid = " + localId, null, SQLiteDatabase.CONFLICT_REPLACE);
     }
 
     public static boolean isExistsTableFTSNote() {