SQL Injection with full width apostrophe (＇) ?

[Erlandr]

Hello,

I am currently helping develop a mid sized ASP.NET website using Entity Framework and Oracle 12c. We have recently discovered that if a user includes a full width apostrophe in certain searches the following Oracle error occurs:

ORA-01756: quoted string not properly terminated

Upon further investigation it looks like Oracle treats the full width apostrophe as if it were a single quote. The following SQL will create the same error:

Code: Select all

select count(*)
from EXAMPLE_TABLE
where COUNTRY in('＇')

Escaping the full width apostrophe solves the problem, however the escape isn't happening in the SQL generated by Devart dotConnect for Oracle. I was able to log the generated SQL to confirm this.

This problem seems to happen with specific method calls, so for this example I am calling .Contains(). Here is a simplified example of what the code is doing:

Code: Select all

IEnumerable<string> searchCountries = new[] { "＇" };
query = query.Where(x=> searchCountries.Contains(x.COUNTRY));

We are using Entity Framework 6 and dotConnect 8.5.543.

Any help would be appreciated, thanks!

[Shalex]

We have reproduced the issue and are investigating it. We will notify you about the result.

[Shalex]

The bug with the wrong SQL query generation for comparison with the string which includes fullwidth apostrophe is fixed in the newest (8.5.563) build of dotConnect for Oracle: http://forums.devart.com/viewtopic.php?f=1&t=32968.