Active Android is it prone to SQL injections. Any known solution?

Question

Android application is already developed using ActiveAndroid

public static List<ModelNames> search(String pattern) {
    return new Select().from(ModelNames.class)
            .where("title LIKE '%" + pattern + "%' or content LIKE '%" + pattern + "%'")
            .orderBy("title")
            .execute();
}

Now its prone to SQL injections.

Has anyone faced a similar problem and found a solution or could anyone provide a solution for the same?

Found a issue on github, but could not get a proper solution.

Answer 1

The examples on the website show how to use placeholders:

public static List<ModelNames> search(String pattern) {
    pattern = "%" + pattern + "%";
    return new Select().from(ModelNames.class)
        .where("title LIKE ? or content LIKE ?", pattern, pattern)
        .orderBy("title")
        .execute();
}

Answer 2

I found out a workaround, But I let other people to answer with better proposal with respect ActiveAndroid ORM.

following is the workaround:

public static List<ModelNames> search(String pattern) {
    return new Select().from(ModelNames.class)
             String pattern = DatabaseUtils.sqlEscapeString(searchBar.getText().toString());
             pattern = pattern.substring(1, pattern.length());
             pattern = pattern.substring(0, pattern.length()-1);
            .where("title LIKE '%" + pattern + "%' or content LIKE '%" + pattern + "%'")
            .orderBy("title")
            .execute();
}

Ref: sqlEscapeString

Answer 3

What I do is assuming, that everything a user inputs is a threat, so I would save everything to variables like usUsername, where "us" means unsafe. After that I check every "us"-variable for injections, what results in sUsername (s means safe). So when I build a query I can only use s-varaibles and should be safe in most cases.

This idea is totally taken from here: http://www.joelonsoftware.com/articles/Wrong.html

Already mentioned in this question.