SQL Injection with full width apostrophe (') ?

SQL Injection with full width apostrophe (') ?

Postby Erlandr » Tue 15 Dec 2015 23:21

Hello,

I am currently helping develop a mid sized ASP.NET website using Entity Framework and Oracle 12c. We have recently discovered that if a user includes a full width apostrophe in certain searches the following Oracle error occurs:

ORA-01756: quoted string not properly terminated


Upon further investigation it looks like Oracle treats the full width apostrophe as if it were a single quote. The following SQL will create the same error:

Code: Select all
select count(*)
from EXAMPLE_TABLE
where COUNTRY in(''')


Escaping the full width apostrophe solves the problem, however the escape isn't happening in the SQL generated by Devart dotConnect for Oracle. I was able to log the generated SQL to confirm this.

This problem seems to happen with specific method calls, so for this example I am calling .Contains(). Here is a simplified example of what the code is doing:

Code: Select all
IEnumerable<string> searchCountries = new[] { "'" };
query = query.Where(x=> searchCountries.Contains(x.COUNTRY));


We are using Entity Framework 6 and dotConnect 8.5.543.

Any help would be appreciated, thanks!
Erlandr
 
Posts: 1
Joined: Tue 15 Dec 2015 22:43

Re: SQL Injection with full width apostrophe (') ?

Postby Shalex » Fri 18 Dec 2015 14:15

We have reproduced the issue and are investigating it. We will notify you about the result.
Shalex
Devart Team
 
Posts: 7793
Joined: Thu 14 Aug 2008 12:44

Re: SQL Injection with full width apostrophe (') ?

Postby Shalex » Fri 25 Dec 2015 09:45

The bug with the wrong SQL query generation for comparison with the string which includes fullwidth apostrophe is fixed in the newest (8.5.563) build of dotConnect for Oracle: http://forums.devart.com/viewtopic.php?f=1&t=32968.
Shalex
Devart Team
 
Posts: 7793
Joined: Thu 14 Aug 2008 12:44


Return to dotConnect for Oracle