SQL Injection with full width apostrophe (') ?
Posted: Tue 15 Dec 2015 23:21
Hello,
I am currently helping develop a mid sized ASP.NET website using Entity Framework and Oracle 12c. We have recently discovered that if a user includes a full width apostrophe in certain searches the following Oracle error occurs:
Escaping the full width apostrophe solves the problem, however the escape isn't happening in the SQL generated by Devart dotConnect for Oracle. I was able to log the generated SQL to confirm this.
This problem seems to happen with specific method calls, so for this example I am calling .Contains(). Here is a simplified example of what the code is doing:
We are using Entity Framework 6 and dotConnect 8.5.543.
Any help would be appreciated, thanks!
I am currently helping develop a mid sized ASP.NET website using Entity Framework and Oracle 12c. We have recently discovered that if a user includes a full width apostrophe in certain searches the following Oracle error occurs:
Upon further investigation it looks like Oracle treats the full width apostrophe as if it were a single quote. The following SQL will create the same error:ORA-01756: quoted string not properly terminated
Code: Select all
select count(*)
from EXAMPLE_TABLE
where COUNTRY in(''')This problem seems to happen with specific method calls, so for this example I am calling .Contains(). Here is a simplified example of what the code is doing:
Code: Select all
IEnumerable<string> searchCountries = new[] { "'" };
query = query.Where(x=> searchCountries.Contains(x.COUNTRY));Any help would be appreciated, thanks!