SQL Injection with full width apostrophe (') ?

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for Oracle
Post Reply
Erlandr
Posts: 1
Joined: Tue 15 Dec 2015 22:43

SQL Injection with full width apostrophe (') ?

Post by Erlandr » Tue 15 Dec 2015 23:21

Hello,

I am currently helping develop a mid sized ASP.NET website using Entity Framework and Oracle 12c. We have recently discovered that if a user includes a full width apostrophe in certain searches the following Oracle error occurs:
ORA-01756: quoted string not properly terminated
Upon further investigation it looks like Oracle treats the full width apostrophe as if it were a single quote. The following SQL will create the same error:

Code: Select all

select count(*)
from EXAMPLE_TABLE
where COUNTRY in(''')
Escaping the full width apostrophe solves the problem, however the escape isn't happening in the SQL generated by Devart dotConnect for Oracle. I was able to log the generated SQL to confirm this.

This problem seems to happen with specific method calls, so for this example I am calling .Contains(). Here is a simplified example of what the code is doing:

Code: Select all

IEnumerable<string> searchCountries = new[] { "'" };
query = query.Where(x=> searchCountries.Contains(x.COUNTRY));
We are using Entity Framework 6 and dotConnect 8.5.543.

Any help would be appreciated, thanks!

Shalex
Site Admin
Posts: 8245
Joined: Thu 14 Aug 2008 12:44

Re: SQL Injection with full width apostrophe (') ?

Post by Shalex » Fri 18 Dec 2015 14:15

We have reproduced the issue and are investigating it. We will notify you about the result.

Shalex
Site Admin
Posts: 8245
Joined: Thu 14 Aug 2008 12:44

Re: SQL Injection with full width apostrophe (') ?

Post by Shalex » Fri 25 Dec 2015 09:45

The bug with the wrong SQL query generation for comparison with the string which includes fullwidth apostrophe is fixed in the newest (8.5.563) build of dotConnect for Oracle: http://forums.devart.com/viewtopic.php?f=1&t=32968.

Post Reply