Does the Android SQLite implementation sanitize input via the SQLiteDatabase.insert() method?

The SQLiteDataBase.insert(String, String, ContentValues) convenience method takes a ContentValues object which contains all of the column values of a row to be inserted 开发者_JS百科into the database. If I use the ContentValues.put() methods to build a ContentValues object to insert into the database, does either put() or insert() sanitize the input or do I have to do that myself?

Yes, this will protect you from injection. You can see in the source that insertWithOnConflict (which is called by insert) correctly uses ? place-holders in a SQLiteStatement.

%W will sanitize it with double quotes, but how much sanitation are you wanting?