My App data managed by the Content Provider using CursorLoaders is in SQLite database. According to Veracode Static Scan report , it is prone to SQL Injections.

But according to docs,

To avoid this problem, use a selection clause that uses ? as a replaceable parameter and a separate array of selection arguments. When you do this, the user input is bound directly to the query rather than being interpreted as part of an SQL statement. Because it's not treated as SQL, the user input can't inject malicious SQL.

public Loader<Cursor> onCreateLoader(int id, Bundle b) {
    return new CursorLoader(getActivity(), 
            NewsFeedTable.CONTENT_URI, 
            NewsFeedTable.PROJECTION, 
            "_id = ?", 
            new String[]{tid}, 
            null);
}

As shown in above code, I am doing in similar way. Also I read same in The Mobile Application Hacker's Book

If this is not sufficient measure to prevent SQL injections, how do I sanitize the sql query from the special characters? Every read suggests using parameterized PreparedStatements. Is it not default with Content Providers?

An alternative to SQLiteStatement is to use the query, insert, update, and delete methods on SQLiteDatabase as they offer parameterized statements via their use of string arrays.

I found this as a solution :

But then I read docs from here that

StringEscapeUtils.escapeSql This was a misleading method, only handling the simplest of possible SQL cases. As SQL is not Lang's focus, it didn't make sense to maintain this method.

Adding the code snippet. Report points at Line 307 where SQL Injection flaw is detected:

How should I do input validation for the special characters? Please help, to make me understand it better.